%20(1).webp?w=1600&resize=1600,900&ssl=1)
A critical authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products (CVE-2024-55591 and CVE-2025-24472) is actively exploited by ransomware operators to hijack enterprise networks.
The flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), allows remote attackers to gain super-admin privileges via maliciously crafted CSF proxy requests or Node.js web socket module exploits.
Technical Overview
The vulnerabilities affect:
- FortiOS versions 7.0.0 through 7.0.16
- FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12.
Exploitation involves bypassing authentication mechanisms to create unauthorized administrative accounts, modify firewall policies, or establish SSL VPN tunnels for lateral movement.
Successful attacks grant attackers complete control over compromised devices, enabling data exfiltration, ransomware deployment, and network disruption.
Link to Ransomware Campaigns
A new ransomware variant, SuperBlack—a modified version of LockBit 3.0—has been deployed by the threat actor Mora_001 using these vulnerabilities.
The group, suspected to have ties to LockBit affiliates, follows a structured playbook:
- Initial Access: Exploit CVE-2024-55591/CVE-2025-24472 to bypass authentication.
- Privilege Escalation: Create persistent admin accounts and modify configurations.
- Lateral Movement: Use VPN tunnels and reconnaissance tools like WMIC/SSH to target high-value assets (e.g., domain controllers, file servers).
- Data Exfiltration & Encryption: Deploy ransomware after extracting sensitive data.
Forescout researchers observed Mora_001 leveraging leaked LockBit tools, including the same Tox messaging ID, suggesting collaboration with or imitation of established ransomware ecosystems.
Mitigation and Patching
Fortinet released patches in January and February 2025:
| Product | Affected Versions | Patched Versions |
|---|---|---|
| FortiOS | 7.0.0 – 7.0.16 | 7.0.17+ |
| FortiProxy | 7.0.0 – 7.0.19 | 7.0.20+ |
| FortiProxy | 7.2.0 – 7.2.12 | 7.2.13+ |
Workarounds (if patching is delayed):
- Disable the Security Fabric via CLI: text
config system csf set status disable end - Restrict administrative access using local-in policies.
- Follow CISA’s BOD 22-01 guidance for cloud service hardening.
Industry Warnings
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on March 18, 2025, urging organizations to apply patches immediately, citing “substantial risks” of operational and financial damage.
Arctic Wolf and Forescout confirmed mass exploitation attempts, with attackers targeting unpatched devices within days of proof-of-concept exploit releases.
Stefan Hostetler of Arctic Wolf emphasized, “Cybercriminals are capitalizing on delayed patching cycles, making firewalls and VPNs prime targets due to their internet-facing nature”.
The Fortinet vulnerabilities underscore the critical need for proactive patch management in network security.
With ransomware groups like Mora_001 weaponizing these flaws, organizations must prioritize updates, restrict administrative interfaces, and monitor for indicators of compromise (IoCs) such as unauthorized admin accounts or SSL VPN changes.
Failure to act risks catastrophic breaches, as highlighted by CISA’s unprecedented advisory.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Hackers Target California Cryobank, Compromising Donor and Customer Data")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20flaw,%20classified%20under%20CWE-288%20,%20allows%20remote%20attackers%20to%20gain%20super-admin%20privileges%20via%20maliciously%20crafted%20CSF%20proxy%20requests.){kind=link}