Fortinet Firewalls Exposed to Active 2FA Bypass Exploits

Introduction

Enterprise perimeter defenses powered by Fortinet FortiGate firewalls are under active assault by threat actors exploiting authentication bypass vulnerabilities that undermine two-factor authentication protections. Despite patches being available for years, misconfigured and unpatched devices exposed to the internet allow attackers to evade multi-factor authentication checks, compromising access control for critical network appliances. Researchers have identified ongoing scanning and exploitation of these weaknesses at scale, underscoring persistent risk for Mid-to-Large enterprises that rely on Fortinet appliances for secure remote access and administrative controls. This in-depth analysis outlines the exploited flaws, affected environments, active threat activity, and actionable mitigations for defenders.

Incident Overview

Security telemetry and researcher reports indicate that:

• Over 10,000 Fortinet FortiGate firewall devices are exposed online and subject to active exploitation attempts targeting legacy authentication bypass flaws.
• The exploited weakness is linked to a 5-year-old vulnerability, CVE-2020-12812, which allows bypassing two-factor authentication under certain LDAP and local user conditions.
• Additional recent authentication bypass issues, including CVE-2025-59718/CVE-2025-59719, enable unauthenticated attackers to authenticate as administrative users or bypass SAML/SSO protections in FortiCloud SSO features when enabled.
• Allied exploitation techniques are being used to extract sensitive configuration files and administrative credentials once access is obtained.

This pattern of exploitation demonstrates how legacy and newly disclosed weaknesses create overlapping vectors for attackers against exposed firewall instances.

Technical Details

CVE-2020-12812: Legacy 2FA Bypass

The 2FA bypass vulnerability arises from inconsistent authentication handling between FortiOS and external LDAP services. When two-factor authentication is enabled for a local user that also participates in an LDAP group, altering the case sensitivity of the username can allow authentication to succeed without completing the second authentication factor.

This bypass undermines FortiToken or similar 2FA setups, effectively reducing an MFA-protected interface to a single-factor login in affected configurations.

CVE-2025-59718 & CVE-2025-59719: SSO Bypass

Newer vulnerabilities tracked as CVE-2025-59718 and CVE-2025-59719 involve improper verification of cryptographic signatures in FortiCloud's SSO authentication. These weaknesses allow an unauthenticated attacker to present a crafted SAML assertion that is incorrectly accepted by the target device, resulting in forced administrative access.

These CVEs impact multiple Fortinet products (FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb) when the SSO login feature is enabled - often by default when linked with FortiCloud services.

Who Is Affected and Why It Matters

Fortinet FortiGate firewalls are widely deployed in enterprise, service provider, and government environments worldwide as core network perimeter devices. Compromise of these devices can lead to:

• Unauthorized administrative access to firewall management consoles
• Extraction of system configuration files, which often contain hashed credentials and network architecture data
• Potential pivot to internal networks via VPN tunnels or exposed administrative channels
• Persistent unauthorized access within a hardened perimeter

Given the critical role of FortiGate appliances in VPN access, SSL inspection, and encrypted traffic management, attackers gaining administrative control pose severe risk to network integrity and data confidentiality.

Active Exploitation and Threat Landscape

Active exploitation is not theoretical. Researchers and security providers have documented:

• Ongoing scanning and exploitation attempts against internet-facing firewall instances exploiting the long-standing CVE-2020-12812 bypass.
• Exploitation attempts leveraging recent SAML/SSO bypass vulnerabilities to authenticate without proper credentials under certain configuration states.
• Instances where extracted configuration files are harvested for credential reuse or lateral movement.

Security analysts characterize these activities as opportunistic but high-impact, targeting organizations that have not applied patches or properly configured authentication features.

Recommended Mitigations and Workarounds

Defenders should prioritize the following actions:

• Inventory and patch: Identify internet-exposed FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager devices, and immediately apply vendor-recommended updates addressing CVE-2020-12812, CVE-2025-59718, and CVE-2025-59719.
• Disable FortiCloud SSO: If not essential, disable SSO features that expose SAML authentication vectors until fully patched and validated.
• Harden LDAP integration: Review and correct LDAP integration and two-factor authentication configurations to ensure misconfigurations do not recreate bypass paths.
• Restrict management plane exposure: Limit administrative access to internal networks and management VLANs, and avoid exposing admin interfaces to the internet.
• Monitor logs: Watch for unusual administrative login attempts or configuration export commands in firewall logs.

In urgent cases where patching is delayed, network access control lists (ACLs) and firewall rules can reduce exposure to external threat scans.

Vendor and Security Community Response

Fortinet has published advisories and PSIRT bulletins addressing both legacy and current vulnerabilities in its products, urging customers to patch promptly and validate configurations. Security firms including Rapid7 and Arctic Wolf have confirmed active exploitation patterns and shared telemetry indicating real-world abuse of authentication bypass bugs.

Additionally, agencies such as CISA have added high-profile Fortinet vulnerabilities like CVE-2025-59718 to their Known Exploited Vulnerabilities (KEV) catalog, emphasizing the national importance of remediation efforts.

Why This Matters

Security appliances like firewalls are trusted guardians of network boundaries. When attackers succeed in bypassing authentication mechanisms like two-factor checks, the resulting compromise can be indistinguishable from legitimate administrative access, significantly raising the stakes. Active exploitation against legacy and recent Fortinet flaws underscores the importance of continuous patch management, configuration hygiene, and exposure reduction. For defenders, the focus should extend beyond patch application to include architecture design that constrains administrative and VPN access to hardened, internal-only segments.

Conclusion

Fortinet firewall deployments continue to face real-world exploitation of authentication bypass vulnerabilities, leaving many systems vulnerable to unauthorized access and configuration theft. Organizations must act swiftly to apply patches, reassess authentication configurations, and reduce management interface exposure to mitigate the ongoing threat. With threat actors actively scanning and exploiting these weaknesses, delayed remediation significantly increases risk to network integrity and operational continuity.