- Someone tried to enter VPN Fortinet products
- Graynoise thinks that it is in preparation for a zero-day feat
- Researchers expect a CVE to be published in a few weeks
Fortinet users are again informed that cybercriminals could prepare to target their termination points using attacks on VPN tools.
In early August 2025, Greynoise researchers observed for the first time a significant peak of brute force attacks against the SSL Fortinet VPN bodies. A brute force attack is when an attacker tries all the possible passwords, the encryption key or any other authentication value until he finds the right one.
Two days later, Greynoise saw the same threat actor try the same thing against Fortimanager, the centralized Fortinet management platform to administer and control large deployments of Fortinet safety devices (Fortigate firewall, Fortiswitches, Fortias and other devices).
80% chances of a cve
This activity has fueled all kinds of speculation, including the idea that someone there experiences a zero-day vulnerability existing in Fortinet products.
Now they are at the preparation stage, map the potential targets, list them and the esteem of their importance within a network. This could also mean that, in order to exploit the defect, the attacker must be authenticated on the device, hence the brute force.
Until now, there is no evidence of existing zero-day, and some people think that attackers really seek to mistreat known and previously settled faults.
However, in his latest report, Graynoise said that there was a good chance that a zero day be exploited in the next two weeks:
“New research shows that peaks like this often precede the disclosure of new vulnerabilities affecting the same supplier – most of them in the six weeks,” the researchers said.
“In fact, Graynoise found that the activity tips triggering this exact label are considerably correlated with future vulnerabilities disclosed in Fortinet products.”
The researchers stressed in 80% of the cases observed, the tips of the brute force attacks are followed by a CVE disclosure within six weeks.
There is also a slight possibility that the analyzes come from a benign player, a researcher, but the researchers are skeptical because the analyzes of the researchers are generally wider and more limited.
Via Bleeping Compompute
How to stay safe
As the risk of phishing increases, staying vigilant online remains the best way to be sure.
Users must always be skeptical about incoming incomplete messages, in particular those who require urgent action or threaten a disaster.
These are and will continue to be the largest red flag of phishing attacks.
