Multiple ransomware gangs including Mora_001 are conducting a mass exploitation campaign targeting Fortinet FortiGate firewalls vulnerable to CVE-2024-55591 and CVE-2025-24472. Attackers are gaining super-admin access via crafted WebSocket and HTTP/HTTPS requests to the Node.js management interface. Over 50,000 devices have been compromised globally, with attackers deploying a new ransomware variant dubbed SuperBlack. Organizations using FortiOS 7.0.0–7.0.16 or FortiProxy 7.0.0–7.0.19 must patch immediately.
⚡ Bottom line: If you run Fortinet firewalls, assume compromise and investigate NOW.
Two related authentication bypass vulnerabilities in FortiOS and FortiProxy allow remote attackers to gain super-admin privileges on Fortinet FortiGate firewalls. CVE-2024-55591 exploits the Node.js WebSocket module, while CVE-2025-24472 targets the CSF proxy via crafted HTTP/HTTPS requests. Both achieve the same devastating result: complete firewall takeover without credentials.
A threat actor tracked as Mora_001 has been observed exploiting these vulnerabilities since late January 2026. The attack chain is highly automated: after gaining super-admin access, attackers create new admin accounts, modify firewall policies to allow lateral movement, deploy VPN tunnels for persistent access, and ultimately deploy the SuperBlack ransomware across the victim's network.
SuperBlack appears to be a derivative of LockBit 3.0 (LockBit Black), sharing significant code overlap but operated by a distinct group. The ransomware uses a custom data exfiltration tool to steal sensitive data before encryption, enabling double extortion.
Shadowserver Foundation reports that over 50,000 Fortinet devices remain exposed and vulnerable as of late February 2026. The campaign has affected organizations across all sectors, with particularly heavy targeting of healthcare, manufacturing, and government sectors.
| CVE | Component | CVSS | Impact |
|---|---|---|---|
| CVE-2024-55591 | FortiOS / FortiProxy (WebSocket) | 9.6 | Authentication Bypass → Super-Admin Access |
| CVE-2025-24472 | FortiOS / FortiProxy (CSF Proxy) | 9.6 | Authentication Bypass → Super-Admin Access |
Attackers gain super-admin access, can modify all firewall rules, create VPN tunnels, and disable security features
SuperBlack ransomware deployed across victim networks after firewall compromise enables lateral movement
Custom exfiltration tool steals sensitive data before encryption, enabling double extortion tactics
Tens of thousands of vulnerable Fortinet devices remain internet-accessible and unpatched
Fortinet has published detailed indicators of compromise (IOCs) that organizations should check immediately:
diagnose sys logdisk log filter category eventconfig system admin → show