A Storm on the Horizon: Fortinet SSL VPNs Hit by Credential-Stuffing Attacks

Researchers have reported a sharp surge in credential-stuffing attempts targeting Fortinet devices with SSL VPN enabled. On August 3, 2025, GreyNoise detected a wave of suspicious traffic involving more than 780 distinct IP addresses. In the past 24 hours, an additional 56 malicious sources have been identified. The attacks originated from the United States, Canada, Russia, and the Netherlands, with victims located in the United States, Hong Kong, Brazil, Spain, and Japan.

Experts emphasize that the assaults were aimed specifically at Fortinet appliances. The requests precisely matched FortiOS signatures, indicating a well-orchestrated operation rather than random scanning. The report stresses that the attackers acted with deliberate intent, clearly focusing on the platform’s SSL VPN functionality.

Analysis revealed two distinct attack phases. The first was a prolonged credential-stuffing campaign sharing the same TCP fingerprint. The second wave, beginning after August 5, saw a dramatic spike in activity and a different network pattern. While the first phase targeted FortiOS, the later phase shifted toward FortiManager—suggesting either a change in objectives or the reuse of existing infrastructure and tooling for new goals.

Further investigation showed that the same client fingerprint had been associated, back in June, with a FortiGate device operating through the residential network of ISP Pilot Fiber Inc. This raises the possibility that the tool was initially tested in a home environment. The use of residential proxy servers cannot be ruled out.

GreyNoise warns that such activity spikes often precede the discovery of new vulnerabilities. Historically, within six weeks of such surges, CVEs tied to the targeted technology are frequently disclosed—most often involving systems at the corporate network perimeter such as VPNs, gateways, or remote access solutions.

Fortinet has not yet issued an official statement.