Spike in Fortinet VPN brute-force attacks raises zero-day concerns

Relatório Picus Blue 2025

A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures.

The campaign, detected by threat monitoring platform GreyNoise, manifested in two waves, on August 3 and August 5, with the second wave pivoting to FortiManager targeting with a different TCP signature.

As GreyNoise previously reported, such spikes in deliberate scanning and brute-forcing precede the disclosure of new security vulnerabilities 80% of the time.

Often, such scans aim at enumerating exposed endpoints, evaluating their significance, and estimating their exploitation potential, with actual attack waves following shortly after.

“New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” warned GreyNoise.

“In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.”

Due to this, defenders shouldn’t dismiss those spikes in activity as failed attempts to exploit old, patched flaws, but rather treat them as potential precursors to zero-day disclosure and strengthen security measures to block them.

The Fortinet brute-force attacks

On August 3, 2025, GreyNoise recorded a spike in brute-forcing attempts targeting Fortinet SSL VPN as part of a steady activity it has been monitoring since earlier.

JA4+ fingerprint analysis,a network fingerprinting method for identifying and classifying encrypted traffic, linked the spike to June activity originating from a FortiGate device on a residential IP address associated with Pilot Fiber Inc.

“This overlap doesn’t confirm attribution, but it suggests possible reuse of tooling or network environments,” commented GreyNoise in its bulletin.

Activity spike on August 3FortiOS profile, traffic fingerprinted with TCP and client signatures — a meta signature — from August 5 onward was not hittingFortiOS,” explained GreyNoise.

“Instead, it was consistently targeting ourFortiManager – FGFM profile albeit still triggering our Fortinet SSL VPN Bruteforcer tag.”

This shift suggested that either the same attackers or the same toolset/infrastructure moved from trying to brute-force VPN logins to trying to brute-force FortiManager access.

The IP addresses associated with this activity, and which should be placed on blocklists, are:

  • 31.206.51.194
  • 23.120.100.230
  • 96.67.212.83
  • 104.129.137.162
  • 118.97.151.34
  • 180.254.147.16
  • 20.207.197.237
  • 180.254.155.227
  • 185.77.225.174
  • 45.227.254.113

GreyNoise notes that the tracked malicious activity is evolving with time and is associated with a specific origin cluster that most likely performs adaptive testing.

In general, this activity is unlikely to be researcher scans, which are typically broader in scope and limited in rate, and wouldn’t involve credential brute-forcing, which is seen as an apparent intrusion attempt.

Hence, defenders should block the listed IPs, increase login protection on Fortinet devices, and harden external access where possible, restricting access only to trusted IP ranges and VPNs.


Picus Blue Report 2025

azaeo.com – datalake

File fishes formats available in:

TextoJSONJSON-LDXMLHTMLHTML SourcePDFMarkdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.