Critical Fortinet Vulnerability Exploited by Ransomware Groups

By /

Listen to this Post

A Major Security Threat

A critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products (CVE-2024-55591 and CVE-2025-24472) is being actively exploited by ransomware groups to hijack enterprise networks. This flaw allows cybercriminals to gain full administrative control over affected devices, making it a severe security risk. Attackers are using these vulnerabilities to infiltrate corporate environments, deploy ransomware, and disrupt operations.

Technical Breakdown: How the Exploit Works

The vulnerabilities, categorized under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enable remote attackers to escalate privileges by manipulating Fortinet’s CSF proxy requests and Node.js web sockets. Once exploited, attackers can:

– Gain super-admin privileges on targeted devices

  • Modify firewall rules, bypass security policies, and establish SSL VPN tunnels for lateral movement
  • Deploy ransomware and extract sensitive data before encryption

Affected Versions

| Product | Vulnerable Versions | Patched Versions |

||–|-|

| FortiOS | 7.0.0 – 7.0.16 | 7.0.17+ |
| FortiProxy | 7.0.0 – 7.0.19, 7.2.0 – 7.2.12 | 7.0.20+, 7.2.13+ |

Organizations using affected versions must update immediately to prevent exploitation.

Ransomware Connection: The Rise of SuperBlack

A new ransomware strain, SuperBlack, is being used by the cybercriminal group Mora_001 to exploit these vulnerabilities. This group is believed to be linked to LockBit affiliates and follows a structured attack strategy:

  1. Initial Access: Exploit Fortinet vulnerabilities to bypass authentication
  2. Privilege Escalation: Create hidden admin accounts and modify system configurations
  3. Lateral Movement: Use VPN tunnels, SSH, and reconnaissance tools to locate critical assets
  4. Data Exfiltration & Encryption: Steal sensitive data before deploying ransomware

Security researchers from Forescout have observed Mora_001 using leaked LockBit tools, reinforcing suspicions of direct ties between these attackers and the broader ransomware ecosystem.

Mitigation: How to Protect Your Organization

Immediate Actions

  • Patch Fortinet Products: Apply the latest updates released in January and February 2025
  • Restrict Administrative Access: Limit exposure of admin interfaces using firewall rules
  • Monitor for IoCs (Indicators of Compromise): Look for unauthorized admin accounts and unusual SSL VPN activity

Temporary Workarounds (If Patching is Delayed)

– Disable Security Fabric via CLI:

“`bash

config system csf

set status disable

end

“`

  • Follow CISA’s BOD 22-01 guidelines for cloud security hardening

Industry Warnings: A Race Against Time

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on March 18, 2025, warning of “substantial risks” from these vulnerabilities. Cybersecurity firms Arctic Wolf and Forescout confirmed that attackers are rapidly scanning and exploiting unpatched systems, with ransomware operators targeting organizations that delay updates.

Stefan Hostetler of Arctic Wolf stressed:

“Cybercriminals are capitalizing on delayed patching cycles, making firewalls and VPNs prime targets due to their internet-facing nature.”

Organizations must act swiftly to patch their systems, enforce security best practices, and remain vigilant against ransomware threats.

What Undercode Say:

The Fortinet vulnerabilities highlight a larger issue in cybersecurity—the failure of many organizations to prioritize patching and proactive defense strategies. These attacks aren’t just a technical problem; they reveal the systemic weaknesses in how enterprises handle security updates.

Why Are Fortinet Products Being Targeted?

  • They are widely deployed: Fortinet’s security solutions protect thousands of enterprises worldwide, making them an attractive target
  • They are internet-facing: Firewalls and VPN appliances often have direct exposure to the internet, increasing the risk of exploitation
  • Patch delays are common: Many organizations delay updates due to compatibility concerns or operational disruptions, creating a window of opportunity for attackers

The Ransomware Economy: What’s at Stake?

Ransomware groups like Mora_001 are operating in an ecosystem of leaked tools, underground forums, and affiliate networks. The attack patterns seen in SuperBlack’s deployment suggest a highly organized effort, where:

– Exploits are weaponized within days of disclosure

– Cybercriminals collaborate across multiple ransomware strains

  • Double extortion tactics are used—stealing data before encryption to increase ransom pressure

Lessons for Organizations

  1. Patching Must Be a Priority: Every delay increases the risk of attack. Automated patch management should be enforced
  2. Network Segmentation is Critical: Prevent lateral movement by isolating critical systems
  3. Zero Trust is the Future: Assume all network traffic is potentially malicious and verify every access request
  4. Threat Intelligence Helps: Monitoring for emerging threats can give organizations an early warning against active exploits

The bottom line? Security is not a one-time effort but an ongoing process. Ignoring updates or relying on outdated security models will inevitably lead to breaches.

Fact Checker Results:

  1. CVE-2024-55591 and CVE-2025-24472 are actively exploited, with confirmed attacks by ransomware groups like Mora_001
  2. Fortinet has issued patches, but mass exploitation continues due to delayed patching in many organizations
  3. CISA, Arctic Wolf, and Forescout confirm the severity of the risk, urging enterprises to take immediate action

Organizations must move fast—cybercriminals already have.

References:

Reported By: https://cyberpress.org/fortios-vulnerability/
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: