Spike in Fortinet VPN brute-force attacks raises zero-day concerns

What’s new: A significant increase in brute-force attacks targeting Fortinet SSL VPNs was observed on August 3 and August 5, 2025. This activity has raised concerns about potential zero-day vulnerabilities, as similar spikes have historically preceded vulnerability disclosures. The attacks shifted from FortiOS SSL VPNs to FortiManager, indicating a deliberate targeting strategy.

Who’s affected

Organizations using Fortinet SSL VPNs and FortiManager are at risk due to these brute-force attacks. The specific IP addresses involved in the attacks should be monitored and blocked to prevent unauthorized access.

What to do

• Block the following IP addresses associated with the brute-force attempts: 31.206.51.194, 23.120.100.230, 96.67.212.83, 104.129.137.162, 118.97.151.34, 180.254.147.16, 20.207.197.237, 180.254.155.227, 185.77.225.174, 45.227.254.113.
• Enhance login protection on Fortinet devices.
• Restrict external access to trusted IP ranges and VPNs where possible.

Sources

• BleepingComputer