Coordinated Brute Force Campaign Targets Fortinet SSL VPN

Aug. 13, 2025, 5:18 p.m.

Description

A significant spike in brute-force traffic targeting Fortinet SSL VPNs was observed on August 3, with over 780 unique IPs triggering the Fortinet SSL VPN Bruteforcer tag. The activity was deliberate and precise, focusing on FortiOS. Two distinct waves of attacks were identified: a long-running set of brute-force activity and a sudden burst beginning August 5. The second wave shifted from targeting FortiOS to FortiManager - FGFM profile. Historical data revealed a potential residential origin or proxy use. The analysis suggests evolving attack patterns and potential reuse of tooling. Research indicates that such spikes often precede new vulnerability disclosures within six weeks. Defenders are advised to use GreyNoise to search for and block malicious IPs associated with this campaign.

External References

https://www.greynoise.io/blog/vulnerability-fortinet-vpn-bruteforce-spike
https://otx.alienvault.com/pulse/689cc45a7e90faee364f64cf
Tags
vulnerability
fortimanager
fortinet
brute-force
ssl vpn
2025-08-13
fortios
ip blocking
fgfm

Date

  • Created: Aug. 13, 2025, 4:59 p.m.
  • Published: Aug. 13, 2025, 4:59 p.m.
  • Modified: Aug. 13, 2025, 5:18 p.m.

Indicators

  • 185.77.225.174
  • 180.254.155.227
  • 45.227.254.113
Download all indicators here!

Attack Patterns

Additional Informations

  • Hong Kong
  • Brazil