Fortinet
Coordinated brute-force campaigns against Fortinet SSL VPN and FGFM services in ...
A sharp, two-stage spike in brute-force activity against Fortinet infrastructure—first battering FortiOS SSL VPNs, then pivoting to FortiManager’s FGFM service—has raised alarms across the security community about potential undisclosed flaws and an impending vulnerability disclosure window. GreyNoise, which observed over 780 unique IPs in the initial surge, notes that such vendor-focused scanning/brute-forcing historically precedes new CVEs about 80% of the time, with most disclosures occurring within six weeks. The timing overlaps with separate Fortinet advisories on other products and exploit code surfacing in the wild, increasing urgency without proving causation.
## Timeline: Two Waves, Two Signatures
- August 3, 2025: A record surge in brute-force attempts targeted Fortinet SSL VPNs, with more than 780 unique IPs triggering GreyNoise’s Fortinet SSL VPN Bruteforcer tag and aligning with the FortiOS profile—indicating deliberate vendor-specific targeting rather than opportunistic scanning.
- August 5, 2025: Activity pivoted to FortiManager’s FGFM service with a different TCP/client “meta signature,” while still tripping the Fortinet SSL VPN Bruteforcer tag—suggesting either the same operator/tooling shifting targets or coordinated infrastructure reuse.
GreyNoise emphasizes this behavioral split: long-running brute-forcing tied to a consistent TCP signature contrasted with a sudden, concentrated burst with a distinct signature and a service pivot.
## JA4+ Fingerprints
JA4+ encrypted traffic fingerprinting linked the August 3 spike to traffic seen in June that bore a client signature resolving to a FortiGate device on a residential ISP block (Pilot Fiber Inc.), hinting at tooling reuse or residential proxying; attribution remains unconfirmed. This cross-wave clustering suggests evolution rather than noise, reinforcing the assessment that this is not benign researcher activity, which tends to be broader, slower, and avoids credential brute-forcing.
## Indicators of Malicious Infrastructure
GreyNoise published a set of IPs associated with the campaign’s post-August 5 meta signature, recommending defensive blocks while monitoring for ongoing evolution.
The list includes:
- 31.206.51.194; 23.120.100.230; 96.67.212.83; 104.129.137.162; 118.97.151.34; 180.254.147.16; 20.207.197.237; 180.254.155.227; 185.77.225.174; 45.227.254.113.
Multiple outlets have echoed the imperative to restrict exposure and harden authentication while treating this as a precursor rather than failed attempts against old bugs.
## Patterns that Precede Pain
GreyNoise’s longitudinal analysis shows vendor-specific surges often foreshadow vulnerability disclosures—about 80% see a CVE within six weeks—making this not just an anomaly but a statistical warning bell. In parallel, Fortinet recently disclosed a critical FortiSIEM flaw (CVE-2025-25256) with working exploit code in the wild, and separate reporting highlights long-running risks around FortiManager and FGFM exposure; however, GreyNoise cautions there’s no proven causal link between the brute-force waves and the FortiSIEM disclosure. The confluence of signals argues for immediate hardening—without assuming a single root cause.
## What’s Being Targeted and How
- Primary services: FortiOS SSL VPN initially; rapid pivot to FortiManager FGFM.
- TTPs: High-volume credential brute-forcing, adaptive testing, evolving TCP/client signatures, tight vendor/service focus rather than scattershot probing.
- Geography and scope: Over 780 unique IPs participating; sources reported across multiple countries with targets spanning the U.S., Hong Kong, Brazil, Spain, and Japan in observed telemetry.
- Researcher vs. adversary: The depth and cadence—credential abuse, meta-signature clustering, service pivot—fit adversarial intrusion attempts, not rate-limited safety-scoped research scanning.
## Defensive Actions: Do This Now
- Block and restrict
- Block the published malicious IPs at network perimeters and device ACLs; maintain dynamic blocks as tooling evolves.
- Remove public exposure of FortiGate/FortiManager admin interfaces; allowlist trusted management IPs and gate via VPN/ZTNA.
- Harden authentication
- Enforce MFA on SSL VPN and admin accounts; rotate privileged credentials and eradicate weak/reused passwords.
- Patch and mitigate
- Apply the latest FortiOS, FortiManager, FortiProxy, and FortiSIEM updates; where patching lags, disable or strictly limit HTTP/HTTPS management and FGFM reachability.
- Monitor and hunt
- Alert on spikes in failed logins, Fortinet SSL VPN Bruteforcer patterns, and FGFM service hits; baseline and watch for new JA3/JA4+ anomalies and the noted meta signatures.
- Review devices for unauthorized accounts, group changes, and unexpected config/policy modifications.
## Industry Signals and Adjacent Risk
Coverage from major outlets and vendor advisories underscores that exploitation risk around Fortinet ecosystems is persistent, multifaceted, and often overlaps with management-plane exposure. Tech media and defenders are flagging the elevated likelihood of a Fortinet-adjacent CVE following this surge, while cautioning against conflating separate product advisories with the brute-force campaigns in the absence of direct evidence.
## Extended Excerpt: Inside the GreyNoise Assessment
“Spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” GreyNoise warned, tying the August 3 SSL VPN spike and the August 5 FGFM pivot together via TCP/client meta signatures and JA4+ clustering that connected the August wave to June activity linked to a FortiGate on a residential ISP block. The firm emphasized the focused nature of the activity—targeting FortiOS and then FortiManager profiles—contrasting it with typical research scanning patterns and advising defenders to treat the waves as credible intrusion attempts requiring immediate access restriction and authentication hardening.
## Preparing for the “Six-Week Window”
The most consequential detail isn’t the brute-force volume; it’s the historical correlation to disclosure cadence and the rapid service pivot that suggests adversaries are probing control planes, not just user edges. Whether or not a specific zero-day surfaces, the attacker attention signals perceived payoff in Fortinet’s management and remote access surfaces, and the cost of waiting is asymmetric: hardening now carries low operational risk compared to the potential blast radius of a management-plane compromise.
## Sensational Headline Candidates
- “Two-Wave Ambush: Fortinet SSL VPNs and FortiManager Pummeled as Zero-Day Fears Surge”
- “From VPN to Control Plane: Fortinet Brute-Force Blitz Triggers Six-Week Zero-Day Watch”
- “JA4+ Trail to a Residential FortiGate: Inside the Fortinet Brute-Force Spikes Rattling Defenders”
## At-a-Glance: The Critical Touch Pointers
- Two distinct waves: Aug 3 (FortiOS SSL VPN) and Aug 5 (FortiManager FGFM), different TCP/client signatures.
- 780+ unique IPs in the initial wave; all classified malicious.
- JA4+ fingerprints link August activity to June traffic tied to a residential ISP FortiGate; attribution remains unconfirmed.
- Historical pattern: ~80% of such vendor-focused spikes precede a CVE disclosure within six weeks.
- Immediate actions: block listed IPs, restrict management exposure, enforce MFA, patch broadly, monitor for FGFM hits and brute-force patterns.
- Context: Parallel Fortinet advisories (e.g., FortiSIEM CVE-2025-25256 with exploit code) heighten urgency but do not establish direct causation with the brute-force campaigns.
Treat this as a pre-incident phase: restrict surfaces, raise authentication bars, and watch for service-specific anomalies while preparing for a probable disclosure window that historically follows such surges.
> “This was not opportunistic — it was focused activity,” GreyNoise said, urging defenders to block malicious IPs and harden external access rather than assuming these are failed attempts against patched, legacy flaws.
