Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fortinet SSL VPN brute-force campaign shifting to FortiManager

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A Fortinet-targeted brute-force campaign is generating sustained login pressure against SSL VPN and later FortiManager services, increasing the chance of unauthorized access across enterprise edge environments. The activity was observed on August 3, 2025 with over 780 unique IP addresses involved, and it was not a one-off burst. The targeting pattern suggests the same infrastructure or toolset may be pivoting across Fortinet-facing services.

Related Happenings

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Open Happening

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

ICTBroadcast exposed-server exploitation wave

Exploitation Wave
First: 15.10.2025 09:16 Last: 15.10.2025 09:16 Sources 1

About this happening: **Approximately 200 exposed ICTBroadcast instances** are facing **active exploitation**, with attackers using a **two-phase** sequence that first tests command execution and then...

Open Happening

Multi-country botnet RDP reconnaissance campaign targeting U.S. services

Campaign
First: 13.10.2025 21:05 Last: 13.10.2025 21:05 Sources 1

About this happening: A **multi-country botnet** launched a **large-scale RDP reconnaissance campaign** against **U.S. services**, using **timing attacks** and **login enumeration** to infer valid acco...

Open Happening

Timeline

  1. 12.08.2025 20:05 1 articles · 9mo ago

    Brute-force spike against Fortinet SSL VPN devices

    Exploitation Observed

    GreyNoise observed a coordinated burst of brute-force traffic against Fortinet SSL VPN devices, with over 780 unique IP addresses participating and the activity specifically targeting the FortiOS profile. The IPs were classified as malicious and the targets included the United States, Hong Kong, Brazil, Spain, and Japan.

    Show sources
    Open in new tab
  2. 12.08.2025 20:05 1 articles · 9mo ago

    Attackers pivot from FortiOS to FortiManager

    Campaign Scope Update

    Traffic fingerprinted with TCP and client signatures from August 5, 2025 onward stopped hitting FortiOS and consistently targeted FortiManager, indicating that the same infrastructure or toolset pivoted to another Fortinet-facing service.

    Show sources
    Open in new tab
  3. 12.08.2025 20:05 1 articles · 9mo ago

    Public warning on Fortinet brute-force campaign

    Initial Disclosure

    Public reporting on August 12, 2025 highlighted the brute-force wave against Fortinet SSL VPN devices, the August 3 FortiOS-focused spike, and the later FortiManager pivot, framing the activity as a coordinated campaign rather than isolated opportunistic traffic.

    Show sources
    Open in new tab