Fortinet devices under global brute-force attack surge
▼ Summary
– A surge in brute-force attacks targeting Fortinet SSL VPNs may indicate upcoming exploits of undisclosed (possibly zero-day) vulnerabilities in Fortinet devices.
– Cybersecurity firm Greynoise observed two attack waves: one on August 3 targeting Fortinet SSL VPNs and another from August 5 shifting focus to FortiManager services.
– Greynoise research suggests spikes in attack activity often precede new vulnerability disclosures, with 80% of cases followed by a CVE within six weeks.
– Fortinet recently patched multiple vulnerabilities, while an underground forum is reportedly selling a potential zero-day RCE exploit for FortiOS VPN versions 7.4–7.6.
– Admins are advised to block malicious IPs, restrict traffic to trusted sources, and implement security best practices to protect Fortinet devices from attacks.
A concerning spike in brute-force attacks targeting Fortinet SSL VPNs has cybersecurity experts warning of potential zero-day vulnerabilities being exploited. Recent monitoring reveals coordinated attempts to breach these systems, suggesting attackers may be preparing for larger-scale exploits using undisclosed security flaws.
Security analysts at Greynoise detected two distinct waves of malicious activity this month. The first wave on August 3 involved over 780 unique IP addresses systematically attempting credential brute-forcing against Fortinet SSL VPNs. These attempts specifically triggered detection tags related to FortiOS, indicating highly targeted reconnaissance efforts.
By August 5, attackers shifted tactics, redirecting their focus toward FortiManager systems while maintaining SSL VPN brute-forcing attempts. This behavioral change suggests threat actors may be testing multiple entry points within Fortinet’s infrastructure, possibly using the same attack framework against different services.
Fortinet’s SSL VPN functionality primarily exists within FortiGate firewalls running the proprietary FortiOS. While most other Fortinet products lack VPN capabilities, older versions of FortiProxy (7.2.x and earlier) did include this feature before its removal in version 7.4.4.
Historical patterns raise serious concerns about impending vulnerability disclosures. Research indicates that 80% of similar attack surges precede official CVE announcements within six weeks. Previous spikes in Fortinet-related brute-forcing activity have consistently correlated with later vulnerability discoveries in their products.
The timing coincides with Fortinet’s recent security updates addressing multiple flaws, including:
- An actively exploited FortiSIEM vulnerability
- A medium-severity path traversal issue in FortiManager systems
Meanwhile, underground forums reportedly feature an advertisement for a purported zero-day remote code execution exploit affecting FortiOS VPN versions 7.4 through 7.6. Priced at approximately $60,000 in bitcoin, the legitimacy of this offer remains unverified.
Security teams managing Fortinet devices should immediately implement protective measures, including:
- Blocking traffic from identified malicious IP addresses
- Restricting access to trusted IP ranges only
- Enforcing strong authentication protocols
- Applying all available security patches
Ongoing monitoring of network traffic for unusual authentication attempts remains critical as this situation develops. The combination of widespread brute-forcing activity and potential zero-day exploit sales creates a high-risk environment for organizations relying on Fortinet infrastructure.
(Source: HelpNet Security)
