- Someone has tried to break into the tin VPN products
- Greynoise believes this is in the preparation of a zero-day exploitation
- The researchers expect a cve to be published within weeks
Fortinet -Users are again warned that cyber criminals could prepare to target their final points using VPN tools.
At the beginning of August 2025, researchers from Greynoise first observed a significant increase in brute-force attacks against Fortinet SSL VPN deposits. A brute-force attack is when an attacker tries any possible password, encryption key or other approval value until they find the right one.
Two days later, Greynoise saw the same threat actor who tried the same thing against Fortimanager, Fortinet’s centralized management platform for the administration and control of large implementations of the Fortinet Security Devices (Fortiate Firewalls, Fortiswitches, Fortiaps and other appliances).
80% chances of a cve
This activity has given rise to all sorts of speculation, including the idea that someone out there knows of a zero-day vulnerability found in Fortin’s products.
Now they are in the preparation stage, map potential goals, list them and estimate their importance within a network. It can also mean that the striker, in order to exploit the error, must be approved on the device, and thus Brute-Force.
So far, there is no evidence of any existing zero-day, and some believe that attackers are actually looking for abuse known, previously spotted missing instead.
In his latest report, however, Greynoise said there is a great chance that a zero day will be exploited in the next few weeks:
“New research shows spikes like this one, often going ahead of the unveiling of new vulnerabilities affecting the same supplier – mostly within six weeks,” the researchers said.
“In fact, Greynoise found that spikes in activity that trigger this exact brand are markedly correlated with future revealed vulnerabilities in Fortinet products.”
The researchers emphasized in 80% of the observed cases, spikes in brute-force attacks are followed by a CVE disclosure within six weeks.
There is also a small possibility that the scans actually come from a benign player, a researcher, but the researchers are skeptical, as researcher scans are usually broader in scope and more limited in the rate.
Via Bleeping computer
How to remain safe
As the risk of phishing grows, it remains to be the best way to be sure annually.
Users must always be skeptical of unsolicited incoming messages, especially those who require urgent action or threaten a disaster.
These are and will continue to be the largest red flag in phishing attacks.
