Cyber Resilience

CVE-2020-12812

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 24 July 2020

Published
24 July 2020
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4191 97.5th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-12812 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Fortinet Fortios. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

An improper authentication vulnerability exists in the SSL VPN component of FortiOS versions 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. The flaw, tracked under CWE-178 and CWE-287, allows successful login without the second authentication factor (FortiToken) when an attacker varies the case of the supplied username.

Remote attackers with no prior credentials can exploit the issue over the network to obtain full access equivalent to a valid two-factor session. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting that no user interaction or special privileges are required and that confidentiality, integrity, and availability impacts are all high.

The issue is documented in Fortinet advisory FG-IR-19-283 and appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed…

more

the case of their username.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortios
6.4.0 · ≤ 6.0.10 · 6.2.0 — 6.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce approved authorizations (including successful 2FA) before granting SSL VPN session access, blocking the case-variation bypass.

prevent

Mandates reliable identification and authentication of users prior to system access, which the FortiToken case-sensitivity flaw violates.

AC-17 Remote Access partial match
prevent

Requires authentication and enforcement of usage restrictions for all remote (SSL VPN) connections, directly addressing the exposed attack surface.

References