Coordinated brute-force campaigns against Fortinet SSL VPN and FGFM services in early August signal a potential zero-day window, with telemetry linking activity patterns

Continue reading
A sharp, two-stage spike in brute-force activity against Fortinet infrastructure—first battering FortiOS SSL VPNs, then pivoting to FortiManager’s FGFM service—has raised alarms across the security community about potential undisclosed flaws and an impending vulnerability disclosure window. GreyNoise, which observed over 780 unique IPs in the initial surge, notes that such vendor-focused scanning/brute-forcing historically precedes new CVEs about 80% of the time, with most disclosures occurring within six weeks. The timing overlaps with separate Fortinet advisories on other products and exploit code surfacing in the wild, increasing urgency without proving causation.
GreyNoise emphasizes this behavioral split: long-running brute-forcing tied to a consistent TCP signature contrasted with a sudden, concentrated burst with a distinct signature and a service pivot.
JA4+ encrypted traffic fingerprinting linked the August 3 spike to traffic seen in June that bore a client signature resolving to a FortiGate device on a residential ISP block (Pilot Fiber Inc.), hinting at tooling reuse or residential proxying; attribution remains unconfirmed. This cross-wave clustering suggests evolution rather than noise, reinforcing the assessment that this is not benign researcher activity, which tends to be broader, slower, and avoids credential brute-forcing.
GreyNoise published a set of IPs associated with the campaign’s post-August 5 meta signature, recommending defensive blocks while monitoring for ongoing evolution. The list includes:
Multiple outlets have echoed the imperative to restrict exposure and harden authentication while treating this as a precursor rather than failed attempts against old bugs.
GreyNoise’s longitudinal analysis shows vendor-specific surges often foreshadow vulnerability disclosures—about 80% see a CVE within six weeks—making this not just an anomaly but a statistical warning bell. In parallel, Fortinet recently disclosed a critical FortiSIEM flaw (CVE-2025-25256) with working exploit code in the wild, and separate reporting highlights long-running risks around FortiManager and FGFM exposure; however, GreyNoise cautions there’s no proven causal link between the brute-force waves and the FortiSIEM disclosure. The confluence of signals argues for immediate hardening—without assuming a single root cause.
Coverage from major outlets and vendor advisories underscores that exploitation risk around Fortinet ecosystems is persistent, multifaceted, and often overlaps with management-plane exposure. Tech media and defenders are flagging the elevated likelihood of a Fortinet-adjacent CVE following this surge, while cautioning against conflating separate product advisories with the brute-force campaigns in the absence of direct evidence.
“Spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” GreyNoise warned, tying the August 3 SSL VPN spike and the August 5 FGFM pivot together via TCP/client meta signatures and JA4+ clustering that connected the August wave to June activity linked to a FortiGate on a residential ISP block. The firm emphasized the focused nature of the activity—targeting FortiOS and then FortiManager profiles—contrasting it with typical research scanning patterns and advising defenders to treat the waves as credible intrusion attempts requiring immediate access restriction and authentication hardening.
The most consequential detail isn’t the brute-force volume; it’s the historical correlation to disclosure cadence and the rapid service pivot that suggests adversaries are probing control planes, not just user edges. Whether or not a specific zero-day surfaces, the attacker attention signals perceived payoff in Fortinet’s management and remote access surfaces, and the cost of waiting is asymmetric: hardening now carries low operational risk compared to the potential blast radius of a management-plane compromise.
Treat this as a pre-incident phase: restrict surfaces, raise authentication bars, and watch for service-specific anomalies while preparing for a probable disclosure window that historically follows such surges.
> “This was not opportunistic — it was focused activity,” GreyNoise said, urging defenders to block malicious IPs and harden external access rather than assuming these are failed attempts against patched, legacy flaws.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.