Fortinet SSL VPNs targeted in renewed brute-force campaign

On August 12, 2025, researchers at GreyNoise reported a dramatic surge in brute-force login attempts targeting Fortinet SSL VPN devices starting on August 3. In just one day, over 780 unique IP addresses were observed launching credential-stuffing attacks, marking the highest volume of such attacks observed in recent months.

GreyNoise classified all participating IPs as malicious, originating from various locations including the U.S., Canada, Russia, and the Netherlands. They assessed that the campaign appears to be focused and deliberate, with traffic fingerprinted to FortiOS profiles.

Primary targets of this campaign include organizations in the U.S., Hong Kong, Brazil, Spain, and Japan.

GreyNoise analysts also noted a shift in tactics. Earlier brute-force activity had a consistent TCP signature, pointing to long-running campaigns using stable tooling. But the August 3 spike introduced a new TCP signature, and attackers began probing FortiManager FGFM profiles, in addition to SSL VPN endpoints. This switch may indicate new threat actors entering, or existing ones evolving their methods.

During the infrastructure analysis, they noted that a client signature matched a FortiGate device located in a residential ISP block. It’s unclear whether this finding points to attackers testing from home networks or leveraging residential proxies, adding another layer of complexity to attribution and mitigation.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

This surge in Fortinet SSL VPN brute-force activity closely mirrors the recent spike in attacks against SonicWall firewalls, where threat actors exploited legacy credentials and a previously disclosed vulnerability to gain unauthorized access.

The parallel timing and tactics suggest a broader trend of adversaries intensifying their focus on VPN infrastructure, particularly where password hygiene and patching practices lag behind.

Given the scale of this campaign, defenders should be on high alert and organizations relying on Fortinet VPN infrastructure should ensure that they take steps to harden their systems.

Ensure all Fortinet devices are running the latest firmware versions and that known vulnerabilities are patched. In addition, we recommend implementing strong password policies and enabling multi-factor authentication across all VPN access points.

Fortinet has issued guidance on securing SSL-VPN services against unauthorized access and brute-force attempts. Within this guidance, best practices include:

• Limiting login attempts and block duration to prevent brute-force attacks
• Enforcing multi-factor authentication
• Using non-default SSL certificates
• Restricting access by geography or specific hosts, and
• Limiting users to a single VPN session at a time