Improper Authentication in FortiOS - CVE-2020-12812

 

Improper Authentication in FortiOS - CVE-2020-12812

Published: July 16, 2020 / Updated: January 5, 2026


Vulnerability identifier: #VU30135
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2020-12812
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: The vulnerability is being exploited in the wild
Vendor: Fortinet, Inc
Affected software:
FortiOS

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests in SSL VPN. A remote authenticated attacker can changed the case of their username and gain unauthorized access to the application without being prompted for the second factor of authentication (FortiToken).


How to mitigate CVE-2020-12812

Install updates from vendor's website.

Sources