Cybersecurity analysts have issued an urgent warning following a sharp escalation in brute-force activity against Fortinet SSL VPN devices. Threat intelligence firm GreyNoise reported that on August 3, 2025, over 780 unique IP addresses participated in a coordinated attack campaign aimed squarely at Fortinet’s SSL VPN infrastructure.
The malicious activity, traced to IPs from the United States, Canada, Russia, and the Netherlands, targeted networks in the United States, Hong Kong, Brazil, Spain, and Japan. Researchers stressed that this was not opportunistic probing, but a deliberate and precision-driven operation focused on FortiOS systems.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Two Distinct Attack Waves Observed
GreyNoise detailed two separate phases of activity before and after August 5. The first wave involved steady brute-force attempts from a single TCP signature, maintaining consistent pressure over time. The second wave marked a sudden, concentrated spike with a different TCP signature, indicating a change in attacker methodology.
Notably, traffic after August 5 shifted focus from FortiOS to FortiManager, suggesting the same adversarial infrastructure pivoted towards a different Fortinet-facing service. This shift, analysts warn, could represent testing or exploitation reconnaissance ahead of a larger campaign.
Evidence of Possible Residential Proxy Testing
Further analysis revealed an earlier surge in June 2025, with a distinctive client signature linked to a FortiGate device on a residential ISP block managed by Pilot Fiber Inc. This anomaly raises the possibility that attackers tested or launched tooling from a home network, or alternatively, leveraged residential proxy infrastructure to mask their origins.
Researchers noted that such spikes in targeted activity often precede the disclosure of a critical vulnerability (CVE) within six weeks. Historical patterns show that enterprise edge technologies: VPNs, firewalls, and remote access platforms, remain prime targets for advanced threat actors seeking initial access to corporate networks.
Security teams are advised to tighten authentication controls, monitor for anomalous login attempts, and apply vendor-released patches without delay.