Pierluigi Paganini June 06, 2025

Qilin ransomware now exploits Fortinet vulnerabilities to achieve remote code execution on impacted devices.

Threat intelligence firm PRODAFT warned that Qilin ransomware (aka Phantom Mantis) group targeted multiple organizations between May and June 2025 by exploiting multiple FortiGate vulnerabilities, including CVE-2024-21762, and CVE-2024-55591.

“Phantom Mantis recently launched a coordinated intrusion campaign targeting multiple organizations between May and June 2025. Initial access are being achieved by exploiting multiple FortiGate vulnerabilities, including CVE-2024-21762, CVE-2024-55591, and others.” reads the report published by PRODAFT.

The Qilin ransomware group has been active since at least August 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid.

The ransomware group is currently targeting organizations in Spanish-speaking countries through FortiGate vulnerabilities, but experts warn it could expand globally. Despite the regional focus, the group appears to choose victims opportunistically rather than by region or sector.

In February 2024, Fortinet warned that the critical remote code execution vulnerability CVE-2024-21762 (CVSS score 9.6) in FortiOS SSL VPN was actively exploited in attacks in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

In March 2025, researchers at Forescout Research – Vedere Labs reported that between January and March, threat actors exploited two Fortinet vulnerabilities to deploy the SuperBlack ransomware. The experts attribute the attacks to a threat actor named “Mora_001” which uses Russian-language artifacts and exhibits a unique operational signature. The experts speculate Mora_001 could be linked to the LockBit ecosystem, reflecting the growing complexity of ransomware operations.

Mora_001 used the leaked LockBit builder to create encryptor, tracked by Forescout as SuperBlack ransomware, and removed any LockBit’s branding.

However, Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. It is interesting to note that the ransom note shares a TOX ID with LockBit, suggesting a potential affiliation. However, its structured playbook and unique operational patterns distinguish it as a separate entity capable of independent intrusions.

CISA confirmed that the flaw CVE-2025-24472 is known to be used in ransomware campaigns.

The flaw CVE-2024-55591 is an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The flaw could allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.” reads the advisory. “Please note that reports show this is being exploited in the wild.”

Threat actors exploit the flaws to create rogue admin or local users, modify firewall policies, and access SSL VPNs to gain access to internal networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Qilin ransomware)