A notable increase in brute-force attacks targeting Fortinet products may indicate the emergence of a new vulnerability. Analysis reveals a significant correlation between attack incidents and reported security flaws.
Experts are raising concerns over a recent escalation in cyberattacks directed at Fortinet’s security offerings. On August 3, 2025, cybersecurity firm GreyNoise reported an alarming surge in brute-force attacks, identifying over 780 unique IP addresses launching attempts against Fortinet’s SSL VPNs in a single day. This information was included in a comprehensive research brief provided to Hackread.com.
Brute-force attacks involve an attacker persistently attempting to guess usernames or passwords in order to gain unauthorized access to a system. The data analyzed by GreyNoise suggests that the traffic observed resulted from a well-organized effort rather than random automated attempts. The research identified Hong Kong and Brazil as the leading target countries over the past 90 days.
GreyNoise specialists recorded two distinct waves of these attacks. The first wave was characterized by prolonged, steady activity, while a subsequent, more intense wave commenced on August 5. The initial spike on August 3 focused on Fortinet’s core operating system, FortiOS; however, the later attempts shifted to FortiManager, a centralized tool used for managing multiple Fortinet devices. Targeting FortiManager could allow attackers broader access, potentially compromising entire networks instead of individual systems.
Additionally, researchers discovered that attackers may have initiated their activities from a residential network, possibly utilizing a home computer. While this tactic is not unprecedented, it is atypical for large-scale, coordinated attacks, suggesting the attackers might be attempting to mask their actions as normal internet activity. This development appears to correlate with earlier activity recorded in June.
According to GreyNoise’s findings, spikes in this type of cyberattack often serve as precursors to public announcements of new security vulnerabilities. Their research shows that 80% of similar attack surges on vendor products are followed by the disclosure of security flaws.
A timeline provided by GreyNoise illustrates this correlation, showing that spikes in brute-force activity typically occur before or simultaneously with announcements of new public vulnerabilities, indicated by distinct markers. Such patterns suggest that sudden increases in attacking behavior are strong signals that a security flaw might soon be unearthed or publicly acknowledged.
In light of this heightened activity, Fortinet customers are urged to remain vigilant and utilize GreyNoise’s tools to identify and mitigate threats posed by malicious IP addresses. Breachspot.com will continue to monitor developments closely and keep business owners informed of any significant changes in the security landscape.
