A Coordinated Brute Force Campaign Targets Fortinet SSL VPN

GreyNoise identified a significant surge in brute-force activity targeting Fortinet SSL VPN interfaces on August 3rd, 2025. This campaign involved over 780 unique IP addresses triggering brute-force detection tags within a single day, marking the highest volume recorded in recent months. While no specific threat actor group or malware family has been attributed to this activity, the scale suggests a coordinated effort to compromise remote access credentials. Successful exploitation could grant attackers initial access to internal networks, leading to potential data exfiltration or further lateral movement. Organizations utilizing Fortinet SSL VPNs are advised to enforce multi-factor authentication (MFA), implement account lockout policies, and monitor authentication logs for anomalous login attempts. Immediate patching of known VPN vulnerabilities and restricting access via allow-listing are critical mitigation steps to prevent unauthorized access during this heightened activity period.

On August 3rd, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume seen on this tag in recent months.

GreyNoise identified a significant surge in brute-force activity targeting Fortinet SSL VPN interfaces on August 3rd, 2025. This campaign involved over 780 unique IP addresses triggering brute-force detection tags within a single day, marking the highest volume recorded in recent months. While no specific threat actor group or malware family has been attributed to this activity, the scale suggests a coordinated effort to compromise remote access credentials. Successful exploitation could grant attackers initial access to internal networks, leading to potential data exfiltration or further lateral movement. Organizations utilizing Fortinet SSL VPNs are advised to enforce multi-factor authentication (MFA), implement account lockout policies, and monitor authentication logs for anomalous login attempts. Immediate patching of known VPN vulnerabilities and restricting access via allow-listing are critical mitigation steps to prevent unauthorized access during this heightened activity period. On August 3rd, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume seen on this tag in recent months. On August 3rd, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume seen on this tag in recent months.