Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.

Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.

This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is changed.

Last week, Fortinet warned customers that attackers are still exploiting CVE-2020-12812, targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.

"Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations," the company said.

On Friday, Internet security watchdog Shadowserver revealed that it currently tracks over 10,000 Fortinet firewalls still exposed on the Internet that are unpatched against CVE-2020-12812 and vulnerable to these ongoing attacks, with over 1,300 IP addresses in the United States.

​CISA and the FBI warned in April 2021 that state-sponsored hacking groups were targeting Fortinet FortiOS instances using exploits for multiple vulnerabilities, including one that abused CVE-2020-12812 to bypass 2FA.

Seven months later, CISA added CVE-2020-12812 to its list of known exploited vulnerabilities, tagging it as exploited in ransomware attacks and ordering U.S. federal agencies to secure their systems by May 2022.

Fortinet vulnerabilities are frequently exploited in attacks (often as zero-day vulnerabilities). For instance, cybersecurity company Arctic Wolf warned in December that threat actors were already abusing a critical authentication bypass vulnerability (CVE-2025-59718) to hijack admin accounts via malicious single sign-on (SSO) logins.

One month earlier, Fortinet warned of an actively exploited FortiWeb zero-day (CVE-2025-58034), and one week later, it confirmed that it had silently patched a second FortiWeb zero-day (CVE-2025-64446) that was abused in widespread attacks.

In February 2025, it also disclosed that the Chinese Volt Typhoon threat group exploited two FortiOS flaws (CVE-2023-27997 and CVE-2022-42475) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan malware.