Fortinet customers who have yet to patch the critical authentication bypass vulnerability (CVE-2025-24472) disclosed in February are at high risk, as threat actors actively exploit the flaw to gain super-admin access. The vulnerability affects certain versions of Fortinet's FortiOS and FortiProxy, with publicly exposed FortiGate firewall management interfaces being particularly vulnerable. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-24472 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fix by April 4. Another severe vulnerability, CVE-2024-55591, was disclosed earlier in January and also allows unauthenticated remote access to administrative privileges through maliciously crafted Node.js websocket requests. Both flaws have been actively exploited, with CVE-2024-55591 being targeted as a zero-day before its disclosure.

A newly identified ransomware actor, Mora_001, linked to the LockBit operation, has been using these vulnerabilities for initial access and privilege escalation on exposed Fortinet devices. Researchers found that the threat actor exploited the flaws via Fortinet’s jsconsole console or crafted HTTPS requests, sometimes using public proof-of-concept (PoC) exploit code and sometimes modified versions. After gaining access, Mora_001 created multiple admin accounts, scheduled scripts, and synchronized with backup firewalls to maintain persistence. The attack chain has involved system and network discovery, lateral movement, data exfiltration, and ultimately deploying a ransomware variant named "SuperBlack." Arctic Wolf previously warned about suspicious activity targeting FortiGate firewalls but only later linked it to these vulnerabilities, advising organizations to disable public access to firewall management interfaces.

Despite a decrease in overall attack activity, CVE-2024-55591 and CVE-2025-24472 remain significant threats, with ransomware actors actively exploiting them. Senior researcher emphasized that best practices dictate firewall management interfaces should never be publicly exposed. The firm has struggled to attribute the attacks to a specific group due to early threat intervention limiting visibility into later exploitation stages. While ransomware remains the primary threat observed so far, past incidents suggest cryptocurrency mining groups may also exploit similar vulnerabilities. These attacks highlight the persistent risk edge devices face, particularly those with misconfigurations or outdated firmware, making them lucrative targets for cybercriminals.

CISA and security researchers have repeatedly warned that products from Fortinet, Ivanti, Palo Alto Networks, Citrix, SonicWall, and other vendors are frequent targets due to their critical access points in enterprise environments. This trend is expected to continue as cybercriminals leverage misconfigured and unpatched edge devices for financial gain. With increasing attacks on such devices, organizations must ensure timely patching and follow best practices to minimize exposure. Fortinet customers should prioritize securing their systems, as attackers are likely to continue exploiting these vulnerabilities for ransomware campaigns and other malicious activities.