On 3 August 2025, threat intelligence firm GreyNoise detected an unprecedented surge in brute-force attempts against Fortinet SSL VPNs – over 780 unique IPs in a single day. Analysis revealed the campaign quickly pivoted to target FortiManager services, signalling coordinated and evolving adversary activity with potential links to forthcoming vulnerabilities.
GreyNoise reported that the 3 August spike was the highest single-day volume observed for its Fortinet SSL VPN Bruteforcer tag in recent months. The attacks were deliberate, targeting FortiOS profiles rather than scanning indiscriminately. According to GreyNoise data, such spikes are historically followed by new CVE disclosures affecting Fortinet products in 80% of cases within six weeks.
“This was not opportunistic — it was focused activity,” GreyNoise researchers stated, noting that the traffic “was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs.”
Top Geographies Targeted
Over the past 90 days, the heaviest targeting was recorded in Hong Kong and Brazil, underscoring the campaign’s global reach.
Two Distinct Attack Waves
A two-week review of traffic matching the Fortinet SSL VPN Bruteforcer tag revealed two separate campaigns:
- Wave One: A steady, long-running brute-force set tied to a single TCP signature.
- Wave Two: A sudden burst starting 5 August, using a different TCP signature and showing an abrupt onset.
GreyNoise pivoted analysis to the second wave due to its anomalous characteristics.
From VPN to FortiManager: A Tactical Shift
After isolating the August 5 TCP signature, researchers identified paired client signatures revealing a shift in attacker focus:
- Pre-August 5: Attacks targeted FortiOS profiles.
- Post-August 5: The same infrastructure began targeting FortiManager – FGFM profiles while still triggering the SSL VPN brute-forcer tag.
This pivot suggests adversaries may be using the same toolset or infrastructure to probe multiple Fortinet services in quick succession.
A Residential Clue
Historical traffic analysis tied to the August 5 signature revealed a June spike originating from a FortiGate device in a residential ISP block (Pilot Fiber Inc.). While not flagged as a proxy, the IP had AbuseDB detections.
Researchers caution this may indicate initial tool testing from a home network or the use of a residential proxy — though attribution remains unconfirmed.
MITRE ATT&CK Mapping (Observed TTPs)
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Valid Accounts (Brute Force) | T1110 |
| Discovery | Network Service Scanning | T1046 |
| Command & Control | Application Layer Protocol | T1071 |
Expert Commentary
“Spikes of this magnitude against a single vendor’s perimeter services are a red flag. Historical correlation with future CVEs means defenders should brace for potential zero-day exploitation,” said Andrew Morris, Founder of GreyNoise (statement from 3 August 2025 blog).
“The pivot from SSL VPN to FortiManager services within days reflects a deliberate, multi-service targeting strategy — not random noise,” the GreyNoise research team noted.
Actionable Takeaways for Defenders
- Search for and monitor traffic using GreyNoise’s Fortinet SSL VPN Bruteforcer tag.
- Block known malicious IPs from GreyNoise’s dynamic IP blocklist for this tag.
- Harden Fortinet perimeter assets: enforce strong passwords, MFA, and lockout policies.
- Restrict management interfaces (FortiManager, SSL VPN) to trusted IP ranges or VPN-only access.
- Patch promptly — especially when Fortinet releases updates in the coming weeks.
- Monitor for brute-force attempts and anomalous login patterns in logs.
- Correlate traffic patterns with other threat intel feeds for early warning.
- Conduct external exposure assessments to identify and secure open Fortinet services.
- Educate admin teams on security awareness against targeted brute-force and password-spraying attempts.
Conclusion
The August 2025 coordinated brute-force campaign against Fortinet SSL VPN and FortiManager systems highlights a rapidly adaptive adversary strategy. With a strong historical link between such activity spikes and forthcoming vulnerabilities, organizations running Fortinet gear should assume they are in the potential blast radius and act immediately. Proactive cybersecurity measures and vigilant monitoring in the next six weeks will be critical to mitigating potential exploitation.
