- Researchers report a sharp rise in brute-force attacks targeting Fortinet SSL VPN devices.
- Over 780 unique IP addresses were involved in the attacks observed on August 3, 2025.
- Malicious traffic originated from multiple countries and targeted systems worldwide.
- Attack patterns shifted after August 5 to also focus on FortiManager services.
- Activity often predicts the discovery of security flaws in affected technologies within weeks.
Cybersecurity researchers have detected a significant increase in brute-force attempts against Fortinet SSL VPN systems. Threat intelligence firm GreyNoise observed this coordinated campaign on August 3, 2025, identifying participation from more than 780 unique IP addresses.
In the 24 hours before the report, 56 unique IP addresses engaged in these attacks. GreyNoise classified all of them as malicious. The origins of this traffic included the United States, Canada, Russia, and the Netherlands. Attackers aimed at targets located in the United States, Hong Kong, Brazil, Spain, and Japan.
According to GreyNoise, the attackers specifically targeted Fortinet SSL VPNs, not using random or opportunistic methods. “Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” the company said. Researchers detected two main waves: an ongoing long-term attack connected to a single network signature, and a more concentrated short-term burst with a separate signature.
After August 5, the firm saw a change in attack focus. “While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures—a meta signature—from August 5 onward was not hitting FortiOS,” GreyNoise explained. Instead, this latter wave targeted FortiManager services. This shift signaled to researchers that attackers may be reusing the same tools or infrastructure to go after different Fortinet systems.
Further investigation found that similar attack fingerprints were first noticed in June, possibly indicating the initial use or testing of brute-force tools on a home network or via a residential proxy.
GreyNoise highlighted that spikes in attacks like these often come before the public disclosure of a new vulnerability in the targeted technology, usually within six weeks. These patterns commonly impact enterprise systems such as VPNs and firewalls, which are frequent targets for sophisticated threat groups.
The Hacker News has contacted Fortinet for comment and will provide updates if a response is received.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump Administration’s Crypto Push Faces Privacy, DeFi Backlash
- UK FTSE 100 Dividend Yields Tempt U.S. Investors Amid Market Gap
- Ether Nears $4.5K as BitMine Boosts ETH Buy Plan to $25 Billion
- Dogecoin Sets Sights on $0.70 Amid New Bullish Chart Pattern
- Bitcoin Swings Wildly as Traders Eye US Inflation and Fed Moves
