Skip to main content

Command Palette

Search for a command to run...

Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass

Published
2 min readView as Markdown
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
P

Phong Xuan

Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.

Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.

This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is changed.

Last week, Fortinet warned customers that attackers are still exploiting , targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.

"Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations," .

On Friday, Internet security watchdog Shadowserver revealed that it currently tracks over 10,000 Fortinet firewalls still exposed on the Internet that are unpatched against CVE-2020-12812 and vulnerable to these ongoing attacks, with over 1,300 IP addresses in the United States.

Fortinet firewalls exposed to CVE-2020-12812 attacks (Shadowserver)

​ in April 2021 that state-sponsored hacking groups were targeting Fortinet FortiOS instances using exploits for multiple vulnerabilities, including one that abused CVE-2020-12812 to bypass 2FA.

Seven months later, CISA , tagging it as exploited in ransomware attacks and ordering U.S. federal agencies to secure their systems by May 2022.

Fortinet vulnerabilities are frequently exploited in attacks (often as zero-day vulnerabilities). For instance, cybersecurity company Arctic Wolf that threat actors were already abusing a critical authentication bypass vulnerability (CVE-2025-59718) to hijack admin accounts via malicious single sign-on (SSO) logins.

One month earlier, Fortinet (CVE-2025-58034), and one week later, it that it had silently patched a second FortiWeb zero-day (CVE-2025-64446) that was .

In February 2025, it also that the exploited two FortiOS flaws (CVE-2023-27997 and CVE-2022-42475) to backdoor a military network using custom Coathanger remote access trojan malware.

It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.

Learn how top leaders are turning investment into measurable impact.


More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com