Brute-force attacks target Fortinet SSL VPNs and FortiManager
Summary
Hide ▲
Show ▼
A significant spike in brute-force traffic targeting Fortinet SSL VPN devices was observed on August 3, 2025. The attacks involved over 780 unique IP addresses from various countries, with a shift in tactics noted on August 5, 2025, targeting FortiManager. Additionally, a critical, unauthenticated remote code execution vulnerability (CVE-2025-25256) was disclosed in Fortinet's FortiSIEM platform, affecting versions 5.4 through 7.3.1. The coordinated activity suggests deliberate and precise targeting of Fortinet's SSL VPNs, FortiManager, and FortiSIEM. The attacks originated from IP addresses in the United States, Canada, Russia, and the Netherlands, with targets in the United States, Hong Kong, Brazil, Spain, and Japan. The activity indicates a potential pivot by attackers to new Fortinet-facing services. Historical data indicates a potential test or launch of the brute-force tooling from a residential network in June 2025.
Timeline
-
14.08.2025 00:15 1 articles · 1mo ago
Fortinet discloses critical remote code execution vulnerability in FortiSIEM
A critical, unauthenticated remote code execution vulnerability (CVE-2025-25256) was disclosed in Fortinet's FortiSIEM platform, affecting versions 5.4 through 7.3.1. The vulnerability allows an unauthenticated remote attacker to run arbitrary code on affected systems via specially crafted CLI requests. Fortinet has released updated versions of the products and advised organizations to update or migrate to the fixed versions. The flaw does not generate any distinctive indicators of compromise when exploited, making device compromise harder to detect.
Show sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
12.08.2025 20:05 2 articles · 1mo ago
Brute-force attacks target Fortinet SSL VPNs and FortiManager
The spike in brute-force traffic targeting Fortinet SSL VPN devices on August 3, 2025, involved over 780 unique IP addresses from various countries. The attacks originated from IP addresses in the United States, Canada, Russia, and the Netherlands, with targets in the United States, Hong Kong, Brazil, Spain, and Japan. A shift in tactics was noted on August 5, 2025, with attacks targeting FortiManager. The coordinated activity suggests deliberate and precise targeting of Fortinet's SSL VPNs and FortiManager. Historical data indicates a potential test or launch of the brute-force tooling from a residential network in June 2025.
Show sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
Information Snippets
-
Over 780 unique IP addresses participated in the brute-force attacks on August 3, 2025.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The attacks originated from IP addresses in the United States, Canada, Russia, and the Netherlands.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
Targets of the brute-force activity include the United States, Hong Kong, Brazil, Spain, and Japan.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The initial wave of attacks targeted Fortinet SSL VPNs, specifically the FortiOS profile.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
A second wave of attacks, starting August 5, 2025, targeted FortiManager.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
Historical data indicates a potential test or launch of the brute-force tooling from a residential network in June 2025.
First reported: 12.08.2025 20:051 source, 1 articleShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
-
The attacks suggest a deliberate and precise targeting of Fortinet's SSL VPNs and FortiManager.
First reported: 12.08.2025 20:052 sources, 2 articlesShow sources
- Fortinet SSL VPNs Hit by Global Brute-Force Wave Before Attackers Shift to FortiManager — thehackernews.com — 12.08.2025 20:05
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
A critical, unauthenticated remote code execution vulnerability (CVE-2025-25256) was disclosed in Fortinet's FortiSIEM platform.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The vulnerability allows an unauthenticated remote attacker to run arbitrary code on affected systems via specially crafted CLI requests.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The flaw affects all FortiSIEM versions from 5.4 through 7.3.1.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
Fortinet has released updated versions of the products and advised organizations to update or migrate to the fixed versions.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The flaw does not generate any distinctive indicators of compromise when exploited, making device compromise harder to detect.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
GreyNoise reported a significant spike in brute-force traffic directed against Fortinet SSL VPNs and FortiManager, emanating from as many as 780 unique IP addresses.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
The attacks targeted FortiOS in the first wave and FortiManager in the second wave.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
Previous surges in similar activity targeting Fortinet products were strongly correlated with vulnerability disclosures within six weeks.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
-
80% of observed instances of similar traffic spikes were followed by a CVE disclosure.
First reported: 14.08.2025 00:151 source, 1 articleShow sources
- Fortinet Products Are in the Crosshairs Again — www.darkreading.com — 14.08.2025 00:15
Similar Happenings
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.
Chinese State-Sponsored Actors Target Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.
AI-Based Penetration Testing Tool Achieves Top Spot on HackerOne Leaderboard
An AI-powered penetration testing tool developed by XBOW has become the first non-human bug hunter to reach the top of HackerOne's US leaderboard. The tool, demonstrated at Black Hat USA, uses a capture-the-flag (CTF) approach to discover vulnerabilities with a low false-positive rate. XBOW's method involves placing 'canaries' in source code and using AI agents to find them, effectively gamifying the vulnerability discovery process. The tool has identified 285 vulnerabilities on HackerOne this year, including 22 confirmed CVEs and over 650 potential flaws. The success highlights the potential of AI in penetration testing while also addressing the issue of false positives generated by large language models (LLMs).
Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-25256) Exploited in the Wild
Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround.
Erlang/OTP SSH RCE Exploits Targeting OT Firewalls
A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.