Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283

Fortinet warns of CVE-2020-12812 (FG-IR-19-283): when FortiGate treats usernames as case-sensitive but the LDAP directory does not, users can bypass locally configured 2FA by using different-cased usernames, causing authentication to fall back to LDAP and succeed without tokens. The advisory describes affected configurations, reproduction steps, observed abuse, and recommends upgrading to fixed FortiOS releases or disabling username case-sensitivity with provided configuration commands.