Cybercriminals Leverage Fortinet Vulnerabilities to Deploy Qilin Ransomware
Threat intelligence firm PRODAFT warns of Qilin ransomware exploiting Fortinet vulnerabilities to execute remote code on affected devices.
TL;DR
Threat intelligence firm PRODAFT reports that the Qilin ransomware group (Phantom Mantis) has exploited multiple FortiGate vulnerabilities to target organizations between May and June 2025. The group, active since August 2022, uses “double extortion” tactics and has recently expanded its attacks to Spanish-speaking countries. Key vulnerabilities include CVE-2024-21762 and CVE-2024-55591, which have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The attacks are automated, with victim selection done manually, and the group appears to choose targets opportunistically.
Qilin Ransomware Exploits Fortinet Vulnerabilities for Remote Code Execution
Threat intelligence firm PRODAFT has issued a warning that the Qilin ransomware group, also known as Phantom Mantis, has targeted multiple organizations by exploiting various FortiGate vulnerabilities. These vulnerabilities include CVE-2024-21762 and CVE-2024-55591. The attacks occurred between May and June 2025, highlighting a coordinated intrusion campaign by the ransomware group.
Coordinated Intrusion Campaign
According to PRODAFT’s report, Phantom Mantis launched a coordinated intrusion campaign targeting multiple organizations. The group gained initial access by exploiting multiple FortiGate vulnerabilities, including CVE-2024-21762, CVE-2024-55591, and others.
"Phantom Mantis recently launched a coordinated intrusion campaign targeting multiple organizations between May and June 2025. Initial access was achieved by exploiting multiple FortiGate vulnerabilities, including CVE-2024-21762, CVE-2024-55591, and others."
Qilin Ransomware Group’s History and Tactics
The Qilin ransomware group has been active since at least August 2022. They gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion” tactics, where they steal and encrypt victims’ data, threatening to expose it unless a ransom is paid.
Targeting Organizations in Spanish-Speaking Countries
Currently, the Qilin ransomware group is targeting organizations in Spanish-speaking countries through FortiGate vulnerabilities. However, experts warn that this regional focus could expand globally. The group appears to choose victims opportunistically rather than by region or sector.
Critical Vulnerabilities Exploited
In February 2024, Fortinet warned that the critical remote code execution vulnerability CVE-2024-21762 (CVSS score 9.6) in FortiOS SSL VPN was actively exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
SuperBlack Ransomware and Mora_001
In March 2025, researchers at Forescout Research – Vedere Labs reported that threat actors exploited two Fortinet vulnerabilities to deploy the SuperBlack ransomware. The attacks were attributed to a threat actor named “Mora_001,” which uses Russian-language artifacts and exhibits a unique operational signature. Experts speculate that Mora_001 could be linked to the LockBit ecosystem, reflecting the growing complexity of ransomware operations.
Authentication Bypass Vulnerability
The flaw CVE-2024-55591 is an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. This vulnerability could allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module.
"An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module or via crafted CSF proxy requests."
Exploitation Tactics
Threat actors exploit these flaws to create rogue admin or local users, modify firewall policies, and access SSL VPNs to gain access to internal networks.
Conclusion
The Qilin ransomware group’s exploitation of Fortinet vulnerabilities underscores the importance of timely patching and robust cybersecurity measures. As the group continues to evolve its tactics and expand its targets, organizations must remain vigilant and proactive in their defense strategies.