Fortinet warns of active attacks on a five-year-old vulnerability in FortiOS. The vulnerability makes it possible to bypass two-factor authentication on VPN connections, despite a patch having been available since 2020.
The vulnerability CVE-2020-12812 affects the SSL VPN component of FortiOS, the operating system that runs on Fortinet devices such as firewalls and VPN systems. Attackers can bypass the enabled 2FA for a VPN account by changing the username. The problem occurs when 2FA is enabled in the “user local” setting and a remote authentication method is configured for this user.
On a scale of 1 to 10, the vulnerability was given a score of 9.8, indicating a critical security flaw. Fortinet published a security bulletin on July 13, 2020, and made patches available.
Warnings went unheeded
In 2021, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the UK National Cyber Security Centre (NCSC) warned of abuse of the security vulnerability. This was despite the fact that patches had been available for over a year at that point.
A few days ago, Fortinet reported once again that attackers are still exploiting the vulnerability in attacks. These attacks target configurations that use LDAP. Fortinet does not provide details about the attacks themselves, such as the organizations affected and the nature of the attacks.
Fortinet targeted again
The warning about attacks on FortiOS coincides with vulnerabilities found in other Fortinet products. Last month, it was announced that the company had again been hit by a zero-day vulnerability in FortiWeb. That security vulnerability was also actively exploited before a patch was available.
In its recent warning, Fortinet emphasizes the circumstances in which the attacks are possible. The security company also reiterates that a security update has been available for more than five years. The message is clear: organizations that have not yet installed the patch are at significant risk.