// For flags

CVE-2020-12812

Fortinet FortiOS SSL VPN Improper Authentication Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Una vulnerabilidad de autenticación inapropiada en SSL VPN en FortiOS versiones 6.4.0, 6.2.0 a 6.2.3, 6.0.9 y posteriores, puede resultar en que un usuario sea capaz de iniciar sesión con éxito sin que sea requerido el segundo factor de autenticación (FortiToken) si cambiaron el caso de su nombre de usuario

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-05-12 CVE Reserved
  • 2020-07-24 CVE Published
  • 2021-11-03 Exploited in Wild
  • 2022-05-03 KEV Due Date
  • 2024-02-14 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- First Exploit
CWE
  • CWE-178: Improper Handling of Case Sensitivity
  • CWE-287: Improper Authentication
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fortinet
Search vendor "Fortinet"
Fortios
Search vendor "Fortinet" for product "Fortios"
< 6.0.10
Search vendor "Fortinet" for product "Fortios" and version " < 6.0.10"
-
Affected
Fortinet
Search vendor "Fortinet"
Fortios
Search vendor "Fortinet" for product "Fortios"
>= 6.2.0 < 6.2.4
Search vendor "Fortinet" for product "Fortios" and version " >= 6.2.0 < 6.2.4"
-
Affected
Fortinet
Search vendor "Fortinet"
Fortios
Search vendor "Fortinet" for product "Fortios"
6.4.0
Search vendor "Fortinet" for product "Fortios" and version "6.4.0"
-
Affected