Global brute-force attack targeting Fortinet SSL VPNs

Cybersecurity researchers have issued a warning regarding a “significant spike” in brute-force traffic targeting Fortinet SSL VPN devices. This coordinated activity, identified by threat intelligence firm GreyNoise, was first observed on August 3, 2025, involving over 780 unique IP addresses, with 56 of these classified as malicious within the last 24 hours. The malicious IPs originated from countries including the United States, Canada, Russia, and the Netherlands, with targets spanning the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise noted that the traffic was specifically aimed at the FortiOS profile, indicating a deliberate and focused attack rather than opportunistic behaviour.

The analysis revealed two distinct waves of assault before and after August 5. The first wave consisted of long-running brute-force activity linked to a single TCP signature, while the second wave featured a sudden burst of traffic with a different TCP signature. Following August 5, the traffic shifted focus from FortiOS to FortiManager, suggesting a change in attacker behaviour. Historical data also indicated a prior spike in June, potentially linked to a FortiGate device in a residential ISP block, raising questions about the origin of the brute-force tooling. This development aligns with findings that spikes in malicious activity are often followed by the disclosure of new CVEs affecting similar technologies.