Fortinet reported that a critical July 2020 FortiOS vulnerability was recently observed being abused in the wild.Fortinet said in a Dec. 24 blog post that the bug — CVE-2020-12812 — can let attackers bypass multi-factor authentication (MFA) without being prompted for a second factor when they change the case of the username.Kevin Surace, chair at Token, explained that this attack abuses a legitimate OAuth login feature by tricking users into approving a device code on a real Microsoft login page, which silently grants attackers access to their account.“A major red flag is being asked to enter a device code or approve an access request that you did not initiate, especially from an email or QR code,” said Surace. “From a security perspective, unexpected OAuth app consents, new token based access without password resets, or unusual mailbox rules appearing after a legitimate login are strong indicators. The challenge is that the login itself looks completely normal, which is why detection often comes too late.”
Related reading:
Microsoft 365 has become a prime target because OAuth tokens can unlock email, files, calendars, and internal collaboration with a single approval, said Surace, adding that this technique has become increasingly common because it scales easily, bypasses MFA by design, and does not rely on fake websites or malware. Attackers prefer it because users trust Microsoft login pages and defenders have fewer obvious signals to block, Surace continued.“It appears that despite this flaw being known and added to CISA’s KEV [Known Exploited Vulnerabilities list], organizations are still running vulnerable Fortinet devices,” said John Bambenek, president at Bambenek Consulting. “This goes to show that network devices remain the soft underbelly of the overall IT stack because of a lack of diligence in applying updates. For organizations that can’t patch, they can still disable the username-case-sensitivity setting and be protected from this flaw.”
Denis Calderone, chief operating officer at Suzu Labs, said Fortinet identified a five-year-old bug that certainly should have been made extinct years ago. However, the fact that there are 20-plus Fortinet vulnerabilities in the CISA KEV catalog means that Fortinet's products are a persistent target — and attackers know this.“The bad actors actively hunt for unpatched FortiGate boxes because the payoff is consistently there,” said Calderone.Based on this reality, Calderone offers three tips to security teams:
- Run the patch: Teams should patch immediately if they have not done so already. Fixes have been available since July 2020.
- Audit LDAP groups: If the team uses LDAP with 2FA, audit all LDAP group configurations for the secondary group misconfiguration Fortinet flagged.
- Remove FortiGate interfaces from the public internet: FortiGate management interfaces (and all such interfaces) should never be internet-accessible, period. Implement VPNs, jumpboxes, and source IP whitelisting to help reduce the organization’s observable footprint. If the company runs these devices, and they have been exposed, assume compromise and hunt for pre-existing indicators of compromise.





