VulnWire
Critical - CVSS 9.8
Known Ransomware Use
Added 11/3/2021

Fortinet FortiOS SSL VPN Improper Authentication Vulnerability

CVE-2020-12812
Action was due by: 5/3/2022
CISA Known Exploited Vulnerability

This vulnerability is part of CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. It has been observed in ransomware campaigns.

Overview

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

Vendor

Fortinet

Product

FortiOS

Category

Mobile
Technical Details

Affected Versions

See vendor advisory

Technical Description

This vulnerability was identified in FortiOS by Fortinet. Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

Exploitability

High - Known ransomware exploitation

Impact

Complete system compromise possible

Additional Notes

https://nvd.nist.gov/vuln/detail/CVE-2020-12812

Required Action (CISA)

Apply updates per vendor instructions.

Due Date: 5/3/2022

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812
https://nvd.nist.gov/vuln/detail/CVE-2020-12812
https://www.cisa.gov/known-exploited-vulnerabilities-catalog