Fortinet Firewall Flaw Fuels Ransomware

Summary

CISA warns of a critical Fortinet vulnerability exploited in a ransomware campaign. The vulnerability allows remote attackers to gain super-admin privileges. Organizations should prioritize patching affected Fortinet devices.

Dont let data threats slow you downTrueNAS offers enterprise-level protection.

** Main Story**

A critical vulnerability in Fortinet firewalls, CVE-2025-24472, is under active exploit in a ransomware campaign, the Cybersecurity and Infrastructure Security Agency (CISA) warns. This vulnerability allows remote attackers to gain super-admin privileges, enabling them to deploy ransomware and exfiltrate sensitive data. Organizations using vulnerable FortiOS and FortiProxy versions should prioritize patching their systems to mitigate this risk.

This article delves into the Fortinet vulnerability, the associated ransomware attacks, and provides essential guidance for organizations to protect their systems. We will examine the technical details of the flaw, the tactics employed by attackers, and the broader implications for cybersecurity in the face of evolving ransomware threats.

The Fortinet Vulnerability: A Gateway for Ransomware

The vulnerability, CVE-2025-24472, exists in FortiOS versions 7.0.0 to 7.0.16 and 7.0.0 to 7.0.19, as well as FortiProxy versions 7.2.0 to 7.2.12. This critical flaw, with a CVSS base score of 8.1, allows attackers to bypass authentication using an alternate path. By crafting specific CSF proxy requests, malicious actors can gain super-admin privileges on vulnerable Fortinet devices.

Fortinet disclosed the vulnerability in mid-January 2025 and released patches (versions 7.0.17, 7.2.13, and 7.0.20). However, despite the availability of patches, threat actors continue to exploit this vulnerability.

Ransomware Attacks: SuperBlack and Beyond

Forescout Research identified a new ransomware strain, dubbed “SuperBlack,” deployed by the ransomware group Mora_001. This group, with suspected ties to the notorious LockBit ransomware operation, exploits CVE-2025-24472 alongside another Fortinet vulnerability, CVE-2024-55591.

The attacks involve gaining initial access through the vulnerability, escalating privileges to super-admin, and then deploying the SuperBlack ransomware. In some cases, attackers exfiltrate sensitive data before encrypting files, following a double-extortion tactic increasingly common among ransomware operators. They target file servers containing valuable data and encrypt them selectively rather than encrypting entire networks.

Protecting Your Organization: Mitigation and Best Practices

CISA’s addition of CVE-2025-24472 to its Known Exploited Vulnerabilities (KEV) catalog underscores the urgency of patching affected Fortinet devices. Organizations should immediately apply the available patches to protect their systems from this actively exploited vulnerability.

Beyond patching, implementing robust security measures is essential to mitigate the risk of ransomware attacks. These measures include:

• Regular Vulnerability Scanning: Identify and address vulnerabilities promptly, especially on internet-facing devices.

• Multi-Factor Authentication (MFA): Implement MFA for all administrative accounts to prevent unauthorized access.

• Strong Passwords: Enforce strong, unique passwords for all user accounts.

• Security Awareness Training: Educate employees about phishing attacks and other social engineering tactics.

• Data Backups: Maintain regular offline backups of critical data to enable recovery in case of a ransomware attack.

• Incident Response Plan: Develop and regularly test an incident response plan to effectively manage ransomware incidents.

The Evolving Ransomware Landscape

The Fortinet vulnerability and associated ransomware attacks highlight the continuously evolving nature of the ransomware threat. Attackers adapt their tactics and exploit new vulnerabilities, necessitating a proactive approach to cybersecurity. Organizations must prioritize patching, implement robust security controls, and foster a culture of security awareness to effectively defend against modern ransomware threats.

As of March 24, 2025, the information provided in this article is current, but the cybersecurity landscape is constantly changing. Staying informed about emerging threats and best practices is crucial for maintaining a strong security posture.