Fortinet VPNs under attack from potential zero-day - FortiSIEM security tools also at risk, so be on your guard

News
By published

Someone is actively trying to brute-force VPNs

vpn
(Image credit: vpn)
  • Someone has been trying to break into Fortinet VPN products
  • GreyNoise believes this is in preparation of a zero-day exploit
  • The researchers expect a CVE to be published within weeks

Fortinet users are once again being warned cybercriminals could be preparing to target their endpoints using attacks on VPN tools.

In early August 2025, researchers from GreyNoise first observed a significant spike in brute-force attacks against Fortinet SSL VPN instances. A brute-force attack is when an attacker tries every possible password, encryption key, or other authentication value until they find the correct one.

Two days later, GreyNoise saw that same threat actor trying the same thing against FortiManager, Fortinet’s centralized management platform for administering and controlling large deployments of Fortinet security devices (FortiGate firewalls, FortiSwitches, FortiAPs, and other appliances).

80% chances of a CVE

This activity has fueled all sorts of speculation, including the idea that someone out there knows of a zero-day vulnerability existing in Fortinet’s products.

Now, they’re in the preparation stage, mapping out potential targets, enumerating them, and estimating their importance within a network. It could also mean that, in order to exploit the flaw, the attacker must be authenticated on the device, hence the brute-force.

So far, there is no evidence of any zero-day existing, and some believe the attackers are actually looking to abuse known, previously-patched flaws instead.

However, in its latest report, GreyNoise said there is a high chance of a zero-day being exploited in the next couple of weeks:

“New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” the researchers said.

“In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.”

The researchers stressed in 80% of observed cases, spikes in brute-force attacks are followed by a CVE disclosure within six weeks.

There is also a slight possibility that the scans are actually coming from a benign player, a researcher, but the researchers are skeptical since researcher scans are usually broader in scope and more limited in rate.

Via BleepingComputer

How to stay safe

As the risk of phishing grows, staying vigilant online remains the best way to be safe.

Users should always be skeptical of unsolicited incoming messages, especially those that demand urgent action or threaten with a disaster.

These are, and will continue to be, the biggest red flag in phishing attacks.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.