Security Briefing πŸ”΄ Critical

Ransomware Groups Exploit Unpatched Fortinet Firewalls in Mass Campaign

6 min read
CRITICAL

Executive Summary

Multiple ransomware gangs including Mora_001 are conducting a mass exploitation campaign targeting Fortinet FortiGate firewalls vulnerable to CVE-2024-55591 and CVE-2025-24472. Attackers are gaining super-admin access via crafted WebSocket and HTTP/HTTPS requests to the Node.js management interface. Over 50,000 devices have been compromised globally, with attackers deploying a new ransomware variant dubbed SuperBlack. Organizations using FortiOS 7.0.0–7.0.16 or FortiProxy 7.0.0–7.0.19 must patch immediately.

⚑ Bottom line: If you run Fortinet firewalls, assume compromise and investigate NOW.

πŸ”΄
CVSS 9.6 β€” Critical

CVE-2024-55591 & CVE-2025-24472 β€” Fortinet Authentication Bypass

The Vulnerability

Two related authentication bypass vulnerabilities in FortiOS and FortiProxy allow remote attackers to gain super-admin privileges on Fortinet FortiGate firewalls. CVE-2024-55591 exploits the Node.js WebSocket module, while CVE-2025-24472 targets the CSF proxy via crafted HTTP/HTTPS requests. Both achieve the same devastating result: complete firewall takeover without credentials.

The SuperBlack Ransomware Campaign

A threat actor tracked as Mora_001 has been observed exploiting these vulnerabilities since late January 2026. The attack chain is highly automated: after gaining super-admin access, attackers create new admin accounts, modify firewall policies to allow lateral movement, deploy VPN tunnels for persistent access, and ultimately deploy the SuperBlack ransomware across the victim's network.

SuperBlack appears to be a derivative of LockBit 3.0 (LockBit Black), sharing significant code overlap but operated by a distinct group. The ransomware uses a custom data exfiltration tool to steal sensitive data before encryption, enabling double extortion.

Scale of Compromise

Shadowserver Foundation reports that over 50,000 Fortinet devices remain exposed and vulnerable as of late February 2026. The campaign has affected organizations across all sectors, with particularly heavy targeting of healthcare, manufacturing, and government sectors.

CVEComponentCVSSImpact
CVE-2024-55591 FortiOS / FortiProxy (WebSocket) 9.6 Authentication Bypass β†’ Super-Admin Access
CVE-2025-24472 FortiOS / FortiProxy (CSF Proxy) 9.6 Authentication Bypass β†’ Super-Admin Access
πŸ”₯

Complete Firewall Takeover

Attackers gain super-admin access, can modify all firewall rules, create VPN tunnels, and disable security features

🦠

Ransomware Deployment

SuperBlack ransomware deployed across victim networks after firewall compromise enables lateral movement

πŸ“€

Data Exfiltration

Custom exfiltration tool steals sensitive data before encryption, enabling double extortion tactics

🌐

50,000+ Devices Exposed

Tens of thousands of vulnerable Fortinet devices remain internet-accessible and unpatched

Immediate Actions Required

  • Update FortiOS to 7.0.17+ or 7.2.x and FortiProxy to 7.0.20+ or 7.2.x immediately
  • Disable HTTP/HTTPS management interface access from the internet
  • Audit all admin accounts β€” look for unauthorized accounts created since January 2026
  • Review firewall policy changes for unauthorized modifications
  • Check for unauthorized VPN configurations and SSL-VPN access
  • Search logs for jsconsole activity and WebSocket connections to management interface
  • If compromised: isolate, preserve forensic evidence, engage incident response
⚠️ Indicators of Compromise: Look for new admin accounts (e.g., forticloud-tech, fortigate-firewall), unauthorized firewall policy changes, unusual jsconsole logins from public IPs, and VPN tunnel configurations you didn't create. Mora_001 typically operates from AS-numbered IP ranges.
πŸ”
Detection

How to Detect Compromise

Fortinet has published detailed indicators of compromise (IOCs) that organizations should check immediately:

Detection Steps

  • Review admin login logs: diagnose sys logdisk log filter category event
  • Check for unauthorized admin accounts: config system admin β†’ show
  • Audit firewall policy modifications in the last 60 days
  • Inspect SSL-VPN portal configurations for unauthorized additions
  • Monitor outbound traffic for data exfiltration patterns (large uploads to unknown IPs)
  • Search SIEM for management interface access from unexpected source IPs

Fortinet Emergency Response Checklist

Immediate (Now)
  • Disable management interface internet access
  • Check for unauthorized admin accounts
  • Apply FortiOS/FortiProxy patches
  • Review recent firewall policy changes
Investigation (24–48 hours)
  • Full audit of admin accounts and access logs
  • Check for VPN tunnel backdoors
  • Scan internal network for SuperBlack ransomware IOCs
  • Review data exfiltration indicators in network logs
  • Run KENSAI scan on all Fortinet-protected perimeters

FΓΌhren Sie jetzt einen kostenlosen KENSAI-Sicherheitsscan durch

πŸ—‘οΈ Jetzt scannen β†’

πŸ›‘οΈ Protect Your Business

Get a free security scan of your website in 60 seconds

Free Security Scan β†’
πŸ“š More Articles 🏠 Home