Over 15,000 Fortinet FortiGate firewalls have been exposed in a breach, leaving thousands with exposed login interfaces vulnerable to exploitation. GreyNoise has identified hundreds of these devices actively being weaponized by attackers for malicious purposes, providing defenders with a real-time view into their behavior and intent. 

This breach, tied to CVE-2022-40684 — an authentication bypass vulnerability disclosed in late 2022 — has created new opportunities for attackers to exploit these devices. While patches have been available since October 2022, thousands of firewalls remain exposed as of January 2025, continuing to pose a serious risk. 

But this breach isn’t just about exposure — it's about the active exploitation happening right now. In this blog, GreyNoise reveals how attackers are leveraging these devices in real time and provides critical insights to help defenders respond effectively.

GreyNoise’s Real-Time Insights: What We’re Seeing 

GreyNoise specializes in observing and classifying internet activity in real time. Our global observation grid tracks attacker behaviors by monitoring interactions with thousands of our sensors worldwide. Unlike sources that focus on theoretical risks or exposure, GreyNoise reveals the actual behaviors of these compromised devices as they interact with our sensors

Of the 15,000+ affected IPs, according to Censys around 4,600 are still exposing their FortiGate web login interfaces, down from over 5,000 at the time of a Censys blog detailing the figures. The below chart illustrates the steady decline.  

Source: Censys

Key Observations from GreyNoise: 

1. In this Case, Interaction with GreyNoise’s Sensors = Harmful Intent

Firewalls hitting GreyNoise’s sensors are behaving abnormally. 

  • “The majority of affected IPs are classified as Unknown simply because we don’t yet have tags for their activity,” explains Bob Rudis, VP of Data Science, Security Research & Detection Engineering. “But make no mistake: by hitting our sensor network, all 366 IPs are up to no good.” 
  • All 366 IPs are engaging in behaviors indicative of threat activity. While some are confirmed as malicious, others are flagged as Suspicious or Unknown but still require attention. 

2. Behavioral Breakdown and List of Compromised IPs 

GreyNoise classifies observed activity into three categories. Here’s the breakdown for the 366 Fortinet IPs:  

  • Malicious (35 IPs): Actively scanning, probing, or delivering malicious payloads. 
  • Suspicious (45 IPs): Abnormal or pre-malicious behavior flagged under GreyNoise’s new “Suspicious” classification, designed to provide early warnings. 
  • Unknown (286 IPs): Activity that doesn’t match known tags but is inherently suspect, as Fortinet firewalls shouldn’t scan or probe networks. This suggests the devices are being leveraged for malicious purposes.

This activity is not new. GreyNoise has observed compromised Fortinet devices exhibiting harmful behaviors over several years, as shown below. The timeline highlights both the first and most recent sightings of these devices interacting with our sensor network.

To help defenders — particularly firewall administrators — take immediate action, we’re sharing a list of the 366 Fortinet IPs interacting with our sensor network, updated as of January 28: 

Download the full list of observed IPs here. This information may change; to view a dynamic list of all IPs interacting with our network, navigate to the GreyNoise Analysis Tab:

Paste the 15,000+ affected IPs:

Click “ANALYZE,” and explore the results:

3. Threat Trends: What Attackers are Doing

Tags assigned to these devices reveal active reconnaissance or exploitation activity originating from compromised Fortinet systems: 

  • SMBv1 Crawlers (82 instances): Scanning for outdated SMB protocols, often linked to WannaCry-like attacks. 
  • SSH Connection Attempts (24 instances): Brute-force or reconnaissance targeting S
  • WebCrawler (23 Instances): Reconnaissance aimed at mapping networks or identifying exposed assets. 

4. Geographic Distribution 

These compromised devices originate from multiple regions worldwide. The top 10 hotspots are: 

  1. Brazil (45%)
  2. Thailand (15%)
  3. Mexico (8%)
  4. Egypt (4%)
  5. Malaysia (3%)
  6. United Arab Emirates (2%)
  7. Colombia (2%)
  8. India (2%)
  9. Kenya (2%)
  10. Israel (1%)

This global spread underscores how widely Fortinet firewalls are deployed and how attackers are leveraging them for malicious purposes. 

Actionable Steps for Defenders

SOC Analysts & Threat Hunters

1. Audit Your IPs and CIDRs

  • Cross-check your external-facing IPs against the list of 366 observed IPs to identify any suspicious or malicious activity originating from your infrastructure. Or, obtain a real-time view of compromised IPs by navigating to the GreyNoise Analysis Tab and pasting the 15,000+ affected IPs.
  • If you are a firewall administrator using Fortinet devices, ensure your configurations are reviewed immediately to confirm no unnecessary interfaces are exposed.

2. Monitor Your Infrastructure for Compromise

  • Use GreyNoise to track malicious behaviors originating from compromised devices and ensure you receive alerts for suspicious activity tied to your infrastructure. 

Firewall Admins & Vulnerability Managers

1. Patch and Secure Your Devices

  • Ensure all Fortinet devices are updated to address CVE-2022-40684 and other known vulnerabilities. Review configurations to close any unnecessary access points.

2. Block Compromised Fortinet IPs

  • Use GreyNoise to swiftly and instantly block Fortinet IPs hitting our sensor network.

Take Action Now 

With GreyNoise, organizations can monitor their external-facing IPs, reduce noise in their threat landscape, and focus their defenses on the most immediate and significant risks. In the case of Fortinet firewalls, if it’s hitting GreyNoise sensors, it’s already up to no good. 

Take control of your external threat landscape today. Use GreyNoise to monitor malicious activity, track behaviors in real time, and protect your organization. Add your IPs or CIDRs to GreyNoise’s alerts now. 

Request a demo today >>

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account