CVE-2020-12812

CRITICAL KEV RANSOMWARE

FortiOS <6.4.0 - Auth Bypass

Title source: llm

Description

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

References (2)

[Vendor Advisory] https://fortiguard.com/psirt/FG-IR-19-283

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812

Scores

CVSS v3 9.8

EPSS 0.4850

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-02

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-5095

Ransomware Use Confirmed

CWE

CWE-287 CWE-178

Status published

Products (2)

fortinet/fortios 6.4.0

fortinet/fortios < 6.0.10

Published Jul 24, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026