- Someone has been trying to enter VPN Fortinet products
- Greynoise believes that this is in preparation of a zero day exploit
- Researchers expect a CVE to be published in weeks
Fortinet users are noticed once again, cybercriminals could be preparing to aim at their final points using attacks on VPN tools.
At the beginning of August 2025, Greynoise researchers observed for the first time a significant increase in brute force attacks against the instances of VPN Fortinet SSL. A brute force attack is when an attacker tries to each possible password, encryption key or other authentication value until it finds the correct one.
Two days later, Greynoise saw that same threat actor who tried the same against Forttimanager, the Fortinet centralized management platform to administer and control large deployments of Fortinet security devices (Forigate Firewalls, Fortiswitches, Fortiaps and other devices).
80% possibilities of a CVE
This activity has fed all kinds of speculation, including the idea that someone knows a zero day vulnerability that exist in Fortinet products.
Now, they are in the preparation stage, they map potential objectives, listing them and estimating their importance within a network. It could also mean that, to exploit the defect, the attacker must be authenticated on the device, hence the brute force.
Until now, there is no evidence of any existing zero day, and some believe that attackers are really looking to abuse known and previously stopped failures.
However, in his latest report, Greynoise said there is a great possibility that one day zero be exploited in the next two weeks:
“New research shows that peaks such as are often preceded by the dissemination of new vulnerabilities that affect the same supplier, most in six weeks,” said the researchers.
“In fact, Greynoise discovered that peaks in the activity that trigger this exact label are significantly correlated with future vulnerabilities disclosed in Fortinet products.”
The researchers stressed in 80% of the cases observed, the peaks in brute force attacks are followed by a dissemination of CVE in six weeks.
There is also a slight possibility that scans come from a benign player, a researcher, but researchers are skeptical since researchers are usually wider and more limited.
Through Bleepingcomputer
How to stay safe
As Phishing’s risk grows, staying online is still the best way to be sure.
Users should always be skeptical of unre requested incoming messages, especially those that demand urgent actions or threaten a disaster.
These are, and will continue to be, the largest red flag in Phishing attacks.
