CVE-2020-12812

Published: Jul 24, 2020Modified: Oct 24, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Affected (3)

Products: Fortinet: Fortios

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	Before 6.0.10
Fortinet Fortios	From 6.2.0 to 6.2.4
Fortinet Fortios	Version 6.4.0

Related CWEs

Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (3)

https://fortiguard.com/psirt/FG-IR-19-283

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-19-283

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.