There has been a "significant spike" in brute-force traffic directed at Fortinet SSL VPN devices, according to researchers. According to threat intelligence company GreyNoise, the coordinated activity was noticed on August 3,

2025.

The United States, Hong Kong, Brazil, Spain, and Japan are among the activity's targets. The development coincides with research showing that within six weeks of a spike in malicious activity, a new CVE affecting the same technology is frequently disclosed. Fortinet has been contacted by The Hacker News for additional comment; we will provide an update if we hear back. "This was not opportunistic -- it was focused activity," the business stated.

The IP addresses, which come from the United States, Canada, Russia, and the Netherlands, have all been categorized as malicious. "Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet's SSL VPNs," stated GreyNo noise. It further stated, "This indicated a shift in attacker behavior – possibly the same infrastructure or toolset pivoting to a new Fortinet-facing service." Additionally, the company reported that it had detected two different assault waves before and after August

5.

The first was a persistent, brute-force activity associated with a single TCP signature that stayed largely constant over time, while the second involved an abrupt, concentrated spike in traffic with a different TCP signature.