If you manage Fortinet products, now is the time to pay close attention. There are serious signs of trouble. Attackers are actively targeting Fortinet systems across the globe. These actions often come before a major security problem is revealed. At the same time, a very dangerous flaw has been found in FortiSIEM, a key security product. Exploit code for this vulnerability is already being used by attackers.
This situation is a serious threat. It requires your immediate action to protect your networks.
Table of Contents
A Wave of Attacks on Fortinet Systems
Security researchers have spotted a massive and coordinated attack campaign. This campaign is aimed directly at Fortinet products. On August 3, 2025, a huge spike in “brute-force” attacks was detected. This is a method where attackers use software to try millions of password combinations to break into a system. Over 780 different IP addresses were involved in this wave of attacks.
This was the biggest attack of this type in months. These attackers came from many countries:
- United States
- Canada
- Russia
- Netherlands
The attacks hit companies in:
- Hong Kong
- Brazil
- United States
- Spain
- Japan
The attackers first targeted Fortinet’s SSL VPNs. These are used to create secure connections for remote workers. But then, something interesting happened. In the middle of the campaign, the attackers suddenly changed their target to FortiManager. FortiManager is a tool used to control many Fortinet devices at once. This shift is concerning because gaining control of FortiManager could allow an attacker to compromise an entire network, not just one device.
Security experts warn that this is not just random noise. This pattern of focused attacks often signals that a new, undiscovered vulnerability—a “zero-day”—might be revealed soon. It looks like attackers are testing systems and preparing for a larger intrusion.
Why This Pattern Scares Security Experts
History shows us something important. When hackers suddenly attack a company’s products like this, new security holes often get found within six weeks. It’s like the attackers know something we don’t know yet.
One security company called GreyNoise said this wasn’t just normal internet noise. These attacks looked planned and targeted. The hackers seemed to know exactly what they were doing.
A Critical Flaw in FortiSIEM (CVE-2025-25256)
Separate from the attacks, Fortinet has announced a critical security flaw in its FortiSIEM product. This vulnerability is identified as CVE-2025-25256 and has a severity score of 9.8 out of 10, which is extremely high.
This flaw is a type of “OS command injection.” In simple terms, it means an attacker from anywhere in the world, without needing a password, can send a special command to a vulnerable system. This command can then trick the system into running the attacker’s own malicious code. This could give them complete control over the device.
Here’s what makes this security hole so dangerous:
- Hackers don’t need passwords to use it
- They can take complete control of your system
- They can run any commands they want
- It’s hard to tell if someone used this attack on you
The worst part is that Fortinet has confirmed that code to exploit this vulnerability is already available and being used in the wild. This makes it an urgent problem.
Who is at risk?
The following versions of FortiSIEM are affected by this dangerous vulnerability :
- Versions 7.3.0 through 7.3.1
- Versions 7.2.0 through 7.2.5
- Versions 7.1.0 through 7.1.7
- Versions 7.0.0 through 7.0.3
- Versions 6.7.0 through 6.7.9
- Older versions, including 6.6 and below, are also affected.
If you use any of these versions, your system is at risk right now.
What You Must Do to Protect Yourself
Given the active attacks and the known critical vulnerability, inaction is not an option. Here is what you need to do immediately:
Patch Your Systems
The most important step is to update your FortiSIEM to a patched version. Fortinet has released fixes for all affected versions. For example, you should upgrade to 7.3.2, 7.2.6, or a newer release.
Use the Workaround
If you cannot update immediately, there is a temporary fix. You should block outside access to a specific communication channel called the phMonitor port (TCP port 7900). Access should only be allowed from trusted internal IP addresses.
Harden Your VPNs
In response to the brute-force attacks, make your VPN access much more secure. This could include using stronger passwords, enabling multi-factor authentication, and restricting which IP addresses are allowed to connect.
Monitor Your Logs
Keep a very close watch on your system logs. Look for any unusual activity, especially failed login attempts or strange commands being run by administrator accounts. The attackers in one campaign were seen erasing system logs to hide their tracks, so be vigilant.
This situation shows why cybersecurity is so hard. Hackers are getting smarter and more organized. They share attack methods on dark websites. They coordinate massive attacks across hundreds of computers.
Meanwhile, companies that make security tools struggle to fix problems fast enough. Even when they do fix things, many organizations are slow to install updates.
The timing of these events is not random. The spike in attacks, the dark web sales, and the discovery of the security hole all happened close together. This suggests organized criminal groups are working together.
Don’t Panic, But Do Act Fast
Yes, this situation is serious. But don’t let fear paralyze you. Focus on what you can control:
- Update your systems immediately
- Follow the security recommendations
- Monitor your networks more closely
- Have a plan for responding to attacks
Remember, security is never perfect. The goal is to make your systems harder to attack than your competitors’ systems. Criminals usually pick the easiest targets first.
If you manage Fortinet products, treat this as an emergency. The longer you wait, the more danger you face. These attacks are real, they’re happening now, and they could hit your organization next.
The good news is that Fortinet has provided fixes and guidance. Use them. Your network’s safety depends on taking action today, not tomorrow.