Hackers are actively exploiting a previously discovered vulnerability in Fortinet firewalls to carry out ransomware attacks. A patch is available.
Cybercriminals under the name Mora_001 are exploiting a previously discovered bug in Fortinet firewalls in a ransomware campaign. This concerns a vulnerability that Fortinet had already warned about earlier. Specifically, the attackers are targeting CVE-2024-55591 and CVE-2025-24472. These allow them to bypass authentication and ultimately inject their own malware. It has been named SuperBlack.
It’s not entirely clear how long the attacks have been ongoing. Initially, Fortinet stated that the discovered bugs were not yet being exploited, but now it appears that criminals might have been able to set up attacks via the zero-days earlier this year. At present, however, the exploitation is very evident.
Patch available
Patches are available, but as is tradition, they are still insufficiently implemented. Mora_001 is taking advantage of this laxity to infect companies with ransomware and then extort them for ransom.
The exploitation was discovered by security researchers from Forescout. They determined that the attacks follow a fixed pattern, indicating that they are being carried out by a single entity.
In any case, the solution remains the same as always: install the patches for the known and shared vulnerabilities immediately. Those who wait can expect SuperBlack on their system.