Back in August 2025, threat intelligence firm GreyNoise detected a coordinated brute-force wave targeting Fortinet SSL VPN devices. We’re not talking about random opportunistic scanning—this was focused, deliberate activity from 780 unique IP addresses all participating in a precisely coordinated assault. The activity spiked on August 3, with ongoing waves continuing afterward.
What made this particularly noteworthy was the targeting precision. GreyNoise observed two distinct assault waves: first, a long-running brute-force activity tied to a single TCP signature, then a sudden concentrated burst with a different TCP signature. The second wave involved deliberate and precise targeting of Fortinet’s SSL VPN profile. This wasn’t script-kiddie stuff; it was organized, adaptable, and strategic.
The IP addresses participating in the campaign originated from the United States, Canada, Russia, and the Netherlands. Target organizations spanned the United States, Hong Kong, Brazil, Spain, and Japan. Geographic distribution like that suggests either a botnet operation using compromised devices globally or coordinated attacks from multiple criminal groups sharing targeting lists.
The implications are straightforward: if you’re running Fortinet SSL VPN devices and relying on weak password policies, you’re essentially leaving your front door unlocked with a sign that says “Please exploit us.” VPN endpoints are prime targets for initial access because they provide direct pathways into internal networks. Once an attacker gains credentials through brute force, they have a legitimate-looking connection that bypasses perimeter defenses.
This is a recurring theme in my work on critical infrastructure vulnerabilities and network security. Remote access solutions—regardless of vendor—remain high-value targets because they bridge the gap between external threats and internal networks. The security community has known this for years, yet organizations continue deploying VPNs with default credentials and weak password policies.
The fix is unsexy but effective: strong password policies, multi-factor authentication, account lockout policies after failed login attempts, and network segmentation so that even if someone gets VPN access, they can’t immediately pivot to critical systems. Monitor your VPN logs for suspicious activity. If you’re seeing hundreds of failed login attempts, that’s not a drill—someone’s actively trying to break in.
