Thousands of organizations worldwide are now scrambling to contain the fallout from a devastating Fortinet security flaw that’s released a wave of ransomware attacks. The culprit? A pair of authentication bypass vulnerabilities—CVE-2024-55591 and CVE-2025-24472—that basically hand over the keys to the kingdom. Super-admin privileges for the taking. No password required.
The cybersecurity equivalent of leaving your front door wide open with a neon sign saying “Steal Everything”
CISA wasn’t messing around. They slapped a one-week patch deadline on the flaws back in January, but clearly not everyone got the memo. The vulnerabilities affect practically everything in Fortinet’s lineup: FortiOS, FortiProxy, FortiPAM, and FortiWeb. Classic case of “patch now or pay later.”
Enter Mora_001, a ransomware group with curious ties to the infamous LockBit operation. They’ve been having a field day with these flaws since late January, deploying their aptly named “SuperBlack” ransomware. It’s basically LockBit 3.0 with a fresh coat of paint and some tweaks to throw investigators off the scent.
The attacks follow a frighteningly efficient pattern. They exploit the WebSocket vulnerability, create backdoor admin accounts, and leverage VPN capabilities to move laterally. Within 48 hours, your precious files are encrypted. The attackers also deploy a component called WipeBlack designed to erase evidence of their activities. Game over.
The numbers are staggering. Nearly 7,700 exposed FortiGate firewalls in the US alone. India has over 4,600. Brazil rounds out the top three most affected countries. That’s a lot of potential victims.
Cybersecurity researchers aren’t mincing words. Forescout Research-Vedere Labs confirms the link between Mora_001 and LockBit, noting they share the same TOX ID for ransom negotiations. Same playbook, different name.
The worst part? These vulnerabilities were being exploited as zero-days since November 2024, months before public disclosure. Talk about a head start for the bad guys. Field Effect experts strongly recommend implementing regular data backups to ensure business continuity should a ransomware attack succeed. The sophisticated nature of these attacks mirrors the alarming trend seen with infostealer trojans, which bypass modern security systems at a rate of approximately 61%.
Fortinet has released patches, but for many organizations, it’s too little, too late. The ransomware genie is out of the bottle. And it’s not going back in anytime soon.
