Archive: https://archive.today/qj4AE From the post: >>Tracked as CVE-2020-12812, the exploited FortiOS vulnerability exists because, in certain configurations, users can authenticate without being prompted for two-factor authentication (2FA). The security defect, Fortinet says, is due to differences in the behavior of FortiGate and LDAP Directory when it comes to authentication: while FortiGate treats usernames as case-sensitive by default, LDAP Directory does not. Attackers can change the case of the username, which results in the impacted appliance not requesting the second factor of authentication (FortiToken).