Exploiting Fortinet Vulnerabilities: The Rise of Qilin Ransomware

Exploiting Fortinet Vulnerabilities: The Rise of Qilin Ransomware

Alex Cipher's Profile Pictire Alex Cipher 4 min read

The Qilin ransomware operation, also known as Phantom Mantis, has emerged as a formidable threat by exploiting critical vulnerabilities in Fortinet products. This ransomware-as-a-service (RaaS) operation, which surfaced in August 2022 under the name “Agenda,” has been linked to over 310 victims globally, targeting high-profile organizations across various sectors such as automotive, publishing, and healthcare (BleepingComputer). The exploitation of these vulnerabilities, particularly CVE-2024-21762 and CVE-2024-55591, has allowed attackers to bypass authentication and execute malicious code remotely, leading to significant disruptions and financial losses for affected organizations. Despite patches being available, many systems remain vulnerable, highlighting the urgent need for robust cybersecurity measures (Tenable).

Exploitation of Fortinet Vulnerabilities in Qilin Ransomware Attacks

Overview of Qilin Ransomware Exploitation

The Qilin ransomware operation, also known as Phantom Mantis, has been actively exploiting critical vulnerabilities in Fortinet products to launch ransomware attacks. This ransomware-as-a-service (RaaS) operation emerged in August 2022 under the name “Agenda” and has since been linked to over 310 victims globally (BleepingComputer). The group has targeted high-profile organizations such as Yangfeng, Lee Enterprises, Court Services Victoria, and Synnovis, impacting various sectors including automotive, publishing, and healthcare.

Specific Vulnerabilities Exploited

CVE-2024-21762

One of the key vulnerabilities exploited by the Qilin ransomware is CVE-2024-21762. This vulnerability allows attackers to bypass authentication on vulnerable Fortinet devices and execute malicious code remotely. Despite being patched in February 2025, nearly 150,000 devices remain vulnerable, as reported by the Shadowserver Foundation (BleepingComputer). The exploitation of this vulnerability has been a significant factor in the widespread success of Qilin ransomware attacks.

CVE-2024-55591

Another critical vulnerability exploited is CVE-2024-55591, an authentication bypass zero-day vulnerability in FortiOS and FortiProxy. This vulnerability has been actively exploited since November 2024 and was patched in early 2025 (Tenable). The exploitation of CVE-2024-55591 has enabled threat actors to gain unauthorized access to systems, facilitating further malicious activities such as data exfiltration and ransomware deployment.

Impact on Organizations

The exploitation of Fortinet vulnerabilities by Qilin ransomware has had a profound impact on organizations worldwide. For instance, the Synnovis incident led to the cancellation of hundreds of appointments and operations at major NHS hospitals in London (BleepingComputer). The attacks have also targeted organizations in Spanish-speaking countries, with expectations of the campaign expanding globally (BleepingComputer).

Mitigation and Response Strategies

Patch Management

To mitigate the risk of exploitation, organizations are urged to apply patches promptly. Fortinet has released updates addressing the vulnerabilities exploited by Qilin ransomware, and it is imperative for organizations to upgrade affected products to the latest versions (Fortinet Advisory). Manual patch management is considered outdated, as it is slow and error-prone, highlighting the need for automated solutions to ensure timely updates (BleepingComputer).

Network Segmentation and Monitoring

Implementing network segmentation and monitoring for suspicious activities are crucial steps in defending against ransomware attacks. Organizations should enforce strong password policies, monitor for unusual VPN and credential dumping activities, and have an incident response plan with tested backups to minimize damage (SISA InfoSec).

Future Threat Landscape

The threat landscape is expected to evolve with the continuous exploitation of Fortinet vulnerabilities by various threat actors. The Mora_001 ransomware operator has also leveraged CVE-2024-55591 to deploy the SuperBlack ransomware strain, linked to the notorious LockBit cybercrime gang (BleepingComputer). As threat actors continue to exploit these vulnerabilities, organizations must remain vigilant and proactive in their cybersecurity efforts.

Conclusion

While this section has focused on the specific vulnerabilities exploited by Qilin ransomware, it is essential for organizations to adopt a comprehensive cybersecurity strategy that includes regular vulnerability assessments, employee training, and collaboration with threat intelligence providers. By staying informed and prepared, organizations can better protect themselves against the evolving threat landscape posed by ransomware operations like Qilin.

Final Thoughts

The persistent exploitation of Fortinet vulnerabilities by the Qilin ransomware group underscores the critical importance of proactive cybersecurity measures. Organizations must prioritize patch management and implement comprehensive security strategies to mitigate the risks posed by such sophisticated threats. The impact of these attacks, as seen in incidents affecting major entities like Synnovis, serves as a stark reminder of the potential consequences of inadequate security practices (BleepingComputer). As the threat landscape continues to evolve, with new actors leveraging similar vulnerabilities, staying informed and prepared is essential for safeguarding against future attacks.

References

Related Articles