Spike in Fortinet VPN brute-force attacks raises zero-day concerns

What’s new: A significant increase in brute-force attacks targeting Fortinet SSL VPNs was observed on August 3 and August 5, 2025. The attacks transitioned from Fortinet SSL VPNs to FortiManager, indicating a potential precursor to new vulnerabilities. GreyNoise reported that such spikes often precede vulnerability disclosures, with a correlation observed in 80% of cases.

Who’s affected

Organizations using Fortinet SSL VPNs and FortiManager are at risk due to these brute-force attacks. Specific IP addresses associated with the malicious activity have been identified and should be monitored.

What to do

• Block the following IP addresses associated with the attacks: 31.206.51.194, 23.120.100.230, 96.67.212.83, 104.129.137.162, 118.97.151.34, 180.254.147.16, 20.207.197.237, 180.254.155.227, 185.77.225.174, 45.227.254.113.
• Enhance login protection on Fortinet devices.
• Restrict external access to trusted IP ranges and VPNs.

Sources

• BleepingComputer