Redazione RHC : 14 August 2025 13:14
GreyNoise detected two major waves of attacks on Fortinet devices in early August 2025. The first, a brute-force attack targeting Fortinet’s SSL VPN on August 3, was followed by an abrupt change to FortiManager on August 5, with a new traffic signature. Researchers warn that such spikes in activity precede the publication of critical vulnerabilities 80% of the time.
According to GreyNoise, the August 3 spike involved dictionary-based login attempts on the FortiOS SSL VPN. The JA4+ network fingerprint, which uses TLS fingerprinting to classify encrypted traffic, indicated a possible match with activity observed in June. This traffic came from a residential IP address associated with ISP Pilot Fiber Inc. While this does not prove specific attribution, researchers suggest reuse of the same toolkit or infrastructure.
On August 5, a different situation was observed. The attacker switched from SSL VPN to FortiManager and began brute-forcing attacks on the FGFM service, part of the Fortinet management system. Although GreyNoise filters continued to trigger on the old “Fortinet SSL VPN Bruteforcer” tag, the traffic signature itself had changed. The new flow no longer matched FortiOS, but exactly matched the FortiManager profile, namely FGFM. This indicates a change in targeting using the same tools or a continuation of the campaign with a new focus.
GreyNoise emphasizes that these scans are not typically exploratory, as exploratory activities are broad in scope, moderate in frequency, and do not involve password guessing. In this case, the activity appears to be a preparatory phase before an exploitation attempt. The goal may not simply be to discover accessible endpoints, but to conduct preliminary reconnaissance and assess the value of potential targets, followed by an attack on a real, undisclosed vulnerability.
According to GreyNoise statistics, activity spikes, particularly those marked with this tag, have a high correlation with upcoming CVEs in Fortinet products. Most of these incidents conclude with a vulnerability being published within six weeks. Therefore, security managers should not attribute them to attempts to exploit long-closed bugs. On the contrary, it’s time to strengthen defenses, especially on external interfaces, and restrict access to administrative panels via IP.
GreyNoise has also published a list of the IP addresses involved in both waves of attacks and recommends blocking them on all Fortinet devices.
According to analysts, the same group is behind these addresses, conducting adaptive testing and adjusting tactics in real time. In this regard, companies using FortiGate, FortiManager, or Fortinet’s SSL VPN should urgently strengthen authentication policies, enable brute-force protection, apply rate limits, and, if possible, restrict access to management interfaces to trusted VPNs or IP whitelists.
Redazione