Surge in Brute-Force Attacks Targeting Fortinet SSL VPN Devices
Cybersecurity experts have recently observed a substantial increase in brute-force traffic directed at Fortinet SSL VPN devices. This alarming trend was initially reported by the threat intelligence firm GreyNoise on August 3, 2025, revealing that over 780 unique IP addresses were involved in this coordinated effort.
Patterns of Malicious Activity
In the past 24 hours, as many as 56 distinctive IP addresses have been identified as malicious, originating from countries including the United States, Canada, Russia, and the Netherlands. The brute-force campaign is reportedly targeting various nations, with notable activity observed in the United States, Hong Kong, Brazil, Spain, and Japan.
GreyNoise indicates this trend is more than mere opportunism. “Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” the firm noted. The focused nature of these attacks raises significant concerns for enterprises relying on Fortinet’s products for secure remote access.
Distinct Waves of Attacks
Analysis by GreyNoise has unveiled two specific waves of attacks before and after August 5. The first involved prolonged brute-force attempts associated with a singular TCP signature, maintaining a consistent level of activity. The second wave presented a sudden surge of traffic featuring a different TCP signature. “While the traffic on August 3 focused on the FortiOS profile, subsequent traffic from August 5 onward was directed at our FortiManager,” the company explained.
This shift in targeting suggests a potential change in attacker behavior, where the same infrastructure may be adapting to exploit additional vulnerabilities within Fortinet’s ecosystem.
Historic Data and Future Implications
Digging deeper into historical data surrounding the post-August 5 TCP fingerprint has revealed an earlier spike in June. This spike featured a unique client signature linked to a FortiGate device within a residential ISP block managed by Pilot Fiber Inc. Such evidence raises crucial questions about how these brute-force attacks were initiated; it’s possible they arose from a home network or involved the use of a residential proxy.
This spike in malicious activity isn’t an isolated event; there’s a notable correlation between upticks in cyberattacks and the release of new vulnerabilities (CVEs) related to the technology under threat. “These patterns have been consistent with enterprise edge technologies like VPNs, firewalls, and remote access tools—the exact systems that advanced threat actors increasingly target,” GreyNoise cautioned in its Early Warning Signals report released last month.
Next Steps for Fortinet and Enterprises
In light of these developments, organizations utilizing Fortinet’s SSL VPN devices are urged to bolster their security measures. Continuous monitoring and timely updates can help mitigate the risks associated with such targeted attacks. Fortinet has yet to respond to inquiries from The Hacker News about these trends, but further commentary from the company could shed additional light on their response strategies.
As the landscape of cyber threats evolves, understanding the motivations and behaviors behind these cyberattacks becomes crucial for businesses aiming to maintain secure operations.
