01/69 Monday, January 5, 2026
Recent data from Shadowserver reveals that more than 10,000 Fortinet firewall devices remain exposed to the internet without having applied critical security patches and are actively at risk of exploitation via CVE-2020-12812, a severe vulnerability first disclosed in 2020. Statistics indicate that Asia is the most affected region, with over 5,355 exposed devices, followed by North America and Europe. Fortinet reiterated in an advisory last week that it continues to observe ongoing exploitation attempts targeting improperly configured devices.
The vulnerability CVE-2020-12812, rated 9.8/10 (Critical), affects FortiGate devices using SSL VPN in conjunction with LDAP authentication. This flaw allows attackers to bypass two-factor authentication (2FA) simply by altering the uppercase or lowercase characters of the username during login. When this occurs, the system skips the FortiToken verification step entirely. Although Fortinet released patches in FortiOS versions 6.4.1, 6.2.4, and 6.0.10, the large number of unpatched systems highlights that many organizations continue to underestimate this risk.
In the past, security agencies such as CISA and the FBI have warned that this vulnerability has been widely abused by nation-state threat actors and ransomware groups to gain initial access to enterprise networks. Recent cases have also linked China-based threat group Volt Typhoon to the exploitation of FortiOS vulnerabilities to deploy malware. As a result, system administrators are strongly urged to immediately verify firmware versions and apply the necessary updates, or, if patching is not feasible, disable username case sensitivity to mitigate the risk of authentication bypass attacks.
