CVE-2020-12812
Published: 24 July 2020
Summary
CVE-2020-12812 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Fortinet Fortios. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
An improper authentication vulnerability exists in the SSL VPN component of FortiOS versions 6.4.0, 6.2.0 through 6.2.3, and 6.0.9 and earlier. The flaw, tracked under CWE-178 and CWE-287, allows successful login without the second authentication factor (FortiToken) when an attacker varies the case of the supplied username.
Remote attackers with no prior credentials can exploit the issue over the network to obtain full access equivalent to a valid two-factor session. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting that no user interaction or special privileges are required and that confidentiality, integrity, and availability impacts are all high.
The issue is documented in Fortinet advisory FG-IR-19-283 and appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-5095
Vulnerability details
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed…
more
the case of their username.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce approved authorizations (including successful 2FA) before granting SSL VPN session access, blocking the case-variation bypass.
Mandates reliable identification and authentication of users prior to system access, which the FortiToken case-sensitivity flaw violates.
Requires authentication and enforcement of usage restrictions for all remote (SSL VPN) connections, directly addressing the exposed attack surface.