- Someone has been trying to break into Fortinet VPN products
- GreyNoise believes this is in preparation of a zero-day exploit
- The researchers expect a CVE to be published within weeks
Fortinet users are once again being warned cybercriminals could be preparing to target their endpoints using attacks on VPN tools.
In early August 2025, researchers from GreyNoise first observed a significant spike in brute-force attacks against Fortinet SSL VPN instances. A brute-force attack is when an attacker tries every possible password, encryption key, or other authentication value until they find the correct one.
Two days later, GreyNoise saw that same threat actor trying the same thing against FortiManager, Fortinet’s centralized management platform for administering and controlling large deployments of Fortinet security devices (FortiGate firewalls, FortiSwitches, FortiAPs, and other appliances).
80% chances of a CVE
This activity has fueled all sorts of speculation, including the idea that someone out there knows of a zero-day vulnerability existing in Fortinet’s products.
Now, they’re in the preparation stage, mapping out potential targets, enumerating them, and estimating their importance within a network. It could also mean that, in order to exploit the flaw, the attacker must be authenticated on the device, hence the brute-force.
So far, there is no evidence of any zero-day existing, and some believe the attackers are actually looking to abuse known, previously-patched flaws instead.
However, in its latest report, GreyNoise said there is a high chance of a zero-day being exploited in the next couple of weeks:
“New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” the researchers said.
“In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.”
The researchers stressed in 80% of observed cases, spikes in brute-force attacks are followed by a CVE disclosure within six weeks.
There is also a slight possibility that the scans are actually coming from a benign player, a researcher, but the researchers are skeptical since researcher scans are usually broader in scope and more limited in rate.
Via BleepingComputer
How to stay safe
As the risk of phishing grows, staying vigilant online remains the best way to be safe.
Users should always be skeptical of unsolicited incoming messages, especially those that demand urgent action or threaten with a disaster.
These are, and will continue to be, the biggest red flag in phishing attacks.