A surge in brute-force attacks on Fortinet products could signal a new vulnerability. A timeline shows a strong link between attack spikes and security flaws.
An unusual surge in cyberattack activity against security products from Fortinet has put experts on alert. On August 3, 2025, researchers at cybersecurity firm GreyNoise detected a major spike in brute-force attacks, with over 780 unique IP addresses targeting Fortinet’s SSL VPNs in a single day. This discovery was revealed in a detailed research report shared with Hackread.com.
For your information, a brute-force attack is when an attacker repeatedly tries to guess a username or password to break into a system. GreyNoise’s analysis of this traffic revealed a focused and deliberate effort by attackers, not just random opportunism. The research also found that Hong Kong and Brazil were the top target countries over the last 90 days.
GreyNoise security experts observed two distinct waves of these attacks. The first was a long-running, steady attack, but a second, more focused wave began on August 5. While the initial August 3 traffic targeted Fortinet’s main operating system, FortiOS, the later attacks shifted to FortiManager, a tool that manages and configures multiple Fortinet devices. Targeting FortiManager could allow attackers to compromise entire networks rather than individual systems.
The researchers also found a clue that the attackers might have launched their tools from a residential network, possibly a home computer. While not unheard of, this is unusual for such large-scale, coordinated attacks and could mean the attackers are trying to disguise their operations as normal internet traffic. This link suggests a connection between the recent attacks and earlier activity observed in June.
According to GreyNoise’s research, spikes in this kind of cyberattack activity are often a warning sign. The company found that 80% of similar attack surges against a vendor’s products are followed by a public disclosure of a new security vulnerability.
A timeline from GreyNoise visually demonstrates this link. The chart below shows that white dots, which represent a spike in brute-force activity, consistently appear before or at the same time as red dots, which represent a new public security vulnerability (CVE). This correlation suggests that a sudden increase in attacker activity is a strong indicator that a new flaw may soon be discovered or disclosed.
With this new activity, Fortinet customers are being advised to remain on high alert and to use GreyNoise’s tools to identify and block malicious IP addresses. Hackread.com will continue to monitor the situation closely for any new developments.
