Researchers warn that thousands of Fortinet instances are at risk of exploitation after the company disclosed that a legacy flaw is under renewed attack. 

The vulnerability, tracked as CVE-2020-12812, has been exploited in the wild in recent weeks when operating under certain configurations, according to a blog from Fortinet released on Christmas Eve. 

The original flaw related to an improper authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in without being prompted for a second factor. 

Under certain configurations, FortiGate can allow Lightweight Directory Access Protocol users to bypass two-factor authentication and instead authenticate against LDAP directly, according to Fortinet. The company said this is due to differences in the behavior of LDAP directories. 

The behavior is linked to FortiGate treating usernames as if they are case-sensitive by default when the LDAP directory does the opposite, according to the blog. 

Researchers at Shadowserver on Friday warned that more than 10,000 Fortinet firewalls remain unpatched, even though the original flaw was disclosed in July 2020.

The vulnerability has been exploited by a range of actors over the past few years, including ransomware groups tracked as Play and Hive as well as threat actors linked to Iran, according to VulnCheck. 

“The vulnerability itself is an improper access control flaw in Fortigate SSL VPNs that allows for initial access to target environments — always a popular type of vulnerability for attackers,” Caitlin Condon, VP security research at VulnC/heck told Cybersecurity Dive. “It's disappointing that a five-plus year-old vulnerability is still being leveraged successfully in attacks, but unfortunately, it's not terribly surprising.

The company asked users to get in contact if there is evidence they may have been impacted.

Editor’s note: Adds comment from VulnCheck.