嗯,用户让我帮忙总结一篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”之类的开头。好的,首先我需要通读整篇文章,抓住主要信息。 文章讲的是Fortinet公司的FortiOS SSL VPN存在一个五年前的漏洞CVE-2020-12812,现在被积极利用。这个漏洞允许攻击者通过更改用户名的大小写来绕过两步验证,从而登录系统。这种情况发生在FortiGate设备配置中使用了LDAP的情况下,因为FortiGate对用户名是区分大小写的,而LDAP不是。这样就会导致系统绕过两步验证,直接通过LDAP认证。 文章还提到这个漏洞在2020年就被修复了,但很多组织可能还没有升级到修复版本。因此,建议用户禁用用户名大小写敏感性来缓解问题。 此外,FBI和CISA等多个机构都发布了警告,指出这个漏洞被多个APT组织利用,包括伊朗相关的威胁集团和Hive勒索软件。 总结一下,我需要把这些关键点浓缩到100字以内:五年前的漏洞被利用,绕过两步验证的方法和原因,修复措施以及多个机构的警告。 </think> Fortinet披露了一个五年前的SSL VPN漏洞CVE-2020-12812被活跃利用的情况。该漏洞允许攻击者通过更改用户名大小写绕过两步验证。此问题源于FortiGate对用户名大小写的敏感处理与LDAP目录不一致。 Fortinet已在2020年修复该漏洞,并建议用户禁用用户名大小写敏感性以缓解风险。 FBI、CISA等机构已警告该漏洞被多个APT组织利用。 2025-12-25 19:40:4 Author: securityaffairs.com(查看原文) 阅读量:4 收藏
Five-year-old Fortinet FortiOS SSL VPN vulnerability actively exploited
Pierluigi Paganini
December 25, 2025
Fortinet reported active exploitation of a five-year-old FortiOS SSL VPN flaw, abused in the wild under specific configurations.
Fortinet researchers observed “recent abuse” of a five-year-old security vulnerability, tracked as CVE-2020-12812 (CVSS score: 5.2), in FortiOS SSL VPN. The vulnerability is exploited in attacks in the wild under certain configurations.
CVE-2020-12812 is an improper authentication flaw in FortiOS SSL VPN that may allow users to bypass two-factor authentication by changing the case of the username, enabling successful login without being prompted for the second authentication factor.
“An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.” reads the advisory published by the vendor.
“This happens when two-factor authentication is enabled in the “user local” setting, and that user authentication type is set to a remote authentication method (eg: ldap). The issue exists because of inconsistent case sensitive matching among the local and remote authentication.”
In certain setups, FortiGate may let LDAP users bypass 2FA due to case-sensitive username handling, while LDAP is case-insensitive. If a user enters a differently cased username, FortiGate may skip the local 2FA user and authenticate directly via LDAP group policies. This can allow admin or VPN access without 2FA, potentially compromising systems and requiring full credential resets.
The issue occurs when FortiGate has local 2FA users linked to LDAP, the same users belong to LDAP groups used in authentication policies, and username case differs at login. A case mismatch prevents matching the local 2FA user, causing FortiGate to fall back to LDAP authentication and potentially bypass 2FA.
“This particular authentication behavior is caused by FortiGate treating usernames as case-sensitive by default, when the LDAP Directory does not.” states Fortinet.
“To trigger this issue, an organization must have the following configuration present:
- Local user entries on the FortiGate with 2FA, referencing back to LDAP
- The same users need to be members of a group on the LDAP server
- At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy which could include for example administrative users, SSL, or IPSEC VPN”
Fortinet addressed the vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1 in July 2020.
Organizations that are not yet running the affected FortiOS releases can mitigate the authentication bypass by executing the following command for all local users:
set username-case-sensitivity disable
Customers using FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1, or newer should instead apply this setting:
set username-sensitivity disable
Disabling username sensitivity makes FortiGate treat all username case variations as the same, preventing fallback to misconfigured LDAP groups.
In April 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits, including CVE-2020-12812.
In July 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) published a Joint Cybersecurity Advisory that provides details on the top 30 vulnerabilities exploited by threat actors in 2020, including CVE-2020-12812.
In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 to gain access to target networks.
In May 2022, researchers at Secureworks Counter Threat Unit (CTU) investigated a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group. The threat actors have been active since at least June 2020 and are linked to the Iranian COBALT ILLUSION group (aka APT35, Charming Kitten, PHOSPHOROUS and TunnelVision).
The researchers identified two distinct clusters of intrusions (labeled as Cluster A and Cluster B) associated with COBALT MIRAGE who was spotted exploiting CVE-2020-12812.
The Hive ransomware operators were also observed exploiting the same flaw in 2022 attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet)
如有侵权请联系:admin#unsafe.sh