Old Fortinet VPN Bug Resurfaces as Active 2FA Bypass Threat

Credited by Freepik

VTA-004550 – Old Fortinet VPN Bug Resurfaces as Active 2FA Bypass Threat

An ongoing campaign exploiting a long-standing vulnerability in Fortinet’s FortiOS and FortiProxy products enables attackers to bypass two-factor authentication (2FA) and gain unauthorized access to day-to-day administrative interfaces. First disclosed in 2020 as CVE-2020-12812, this flaw affects Fortinet firewall appliances that expose the SSL VPN web portal to untrusted networks. Despite being known and patched years ago, evidence shows that over 10,000 devices remain vulnerable and are actively being targeted by attackers to circumvent 2FA protections and compromise administrative sessions.

At the core of the issue is an authentication bypass that occurs when the SSL VPN portal mishandles certain session tokens and API calls, allowing an attacker with only valid low-privilege credentials (such as a VPN user account) to elevate their access and skip two-factor protections entirely. Researchers observed active scanning and exploitation of publicly reachable Fortinet endpoints that still run vulnerable firmware, with hundreds of attempted connections every day from automated scanning infrastructure. Once access is achieved, threat actors can interact with administrative panels, create new accounts or pivot deeper into affected networks.

This campaign is notable for both its longevity and scale. More than 10,000 Fortinet firewalls remain exposed, highlighting how pervasive unpatched infrastructure can become a soft target. Unlike typical ransomware or commodity malware attacks, this exploitation is strategic and stealthy attackers are not simply trying to force down passwords but instead leveraging a legitimate yet flawed authentication flow to bypass security controls designed to protect against exactly these kinds of intrusions..

Severity:
Medium

Attack Surface:
Infrastructure, Remote Access Service, Web Application

Tactics:
Command and Control, Defense Evasion, Discovery, Initial Access, Privilege Escalation

Techniques:
T1556 – Modify Authentication Process
T1078 – Valid Accounts
T1190 – Exploit Public-Facing Application
T1562 – Impair Defenses
T1087 – Account Discovery

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/695b1d355cc96a7acb06bdc9

References:
1. https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283
2. https://nvd.nist.gov/vuln/detail/cve-2020-12812

SuperPRO’s Threat Countermeasures Procedures:
1. Upgrade FortiOS to versions later than 6.0.10, 6.2.4 or vendor-recommended fixed releases addressing CVE-2020-12812
2. Disable SSL VPN web portal exposure to the public internet where not required
3. Restrict VPN and management access using IP allow-listing and geo-blocking
4. Enforce certificate-based authentication (mutual TLS) for administrative access
5. Monitor logs for abnormal VPN session creation without valid MFA events
6. Rotate credentials for all VPN and administrative users after patching
7. Audit firewall configurations for unauthorized admin accounts or policy changes

Contributed by: Thivya