Introduction: The Evolving Ransomware Landscape
In the ever-shifting battlefield of cybersecurity, ransomware remains a persistent and escalating threat to organizations worldwide. As of March 17, 2025, a sophisticated wave of attacks has emerged, targeting Fortinet firewalls—critical network security appliances designed to safeguard enterprise perimeters. Security researchers have uncovered evidence of hackers, believed to be associated with the infamous LockBit ransomware gang, exploiting two specific vulnerabilities to infiltrate company networks and deploy ransomware payloads. For cybersecurity professionals with a decade of experience, this development underscores the importance of proactive defense, timely patching, and advanced threat intelligence. In this blog, we’ll dissect the technical details of these vulnerabilities, the exploitation techniques, and actionable mitigation strategies to bolster your network security.
The Vulnerabilities: CVE-2024-55591 and CVE-2025-24472
The vulnerabilities at the heart of this campaign are tracked as CVE-2024-55591 and CVE-2025-24472, both affecting Fortinet’s FortiOS and FortiProxy platforms—core components of Fortinet’s firewall ecosystem. These flaws are authentication bypass vulnerabilities, allowing unauthenticated attackers to gain super-administrator privileges on exposed devices. For technical audiences, understanding the mechanics of these exploits is critical.
• CVE-2024-55591: This zero-day vulnerability, disclosed in January 2025, enables attackers to circumvent authentication mechanisms via an alternate path in the FortiOS management interface. By crafting specially designed HTTPS requests or leveraging WebSocket vulnerabilities in the jconsole interface, attackers can escalate privileges without credentials. Exploitation of this flaw has been observed in the wild since at least December 2024, highlighting its severity (CVSS score pending but likely critical given its impact).
• CVE-2025-24472: A related high-severity flaw, this vulnerability was added to Fortinet’s advisory in February 2025 after initial patching efforts for CVE-2024-55591. It shares similar characteristics, targeting the same authentication bypass vector but exploiting a different code path. While initially thought to be unexploited, recent evidence suggests attackers adapted quickly, chaining it with CVE-2024-55591 for broader reach.
Both vulnerabilities affect FortiOS versions prior to 7.0.16, with thousands of unpatched FortiGate firewalls still exposed globally. For cybersecurity engineers, this is a stark reminder of the risks posed by delayed patch management and the need for real-time vulnerability scanning.
The Attack Chain: From Exploitation to Ransomware Deployment
The hackers exploiting these vulnerabilities follow a methodical attack chain, blending opportunistic tactics with sophisticated post-exploitation techniques. Here’s a technical breakdown of how these LockBit-linked actors operate:
1 Initial Access: Attackers scan for internet-facing FortiGate firewalls with exposed management interfaces (typically ports 443 or 8443). Using automated tools, they identify devices vulnerable to CVE-2024-55591 or CVE-2025-24472. Proof-of-concept (PoC) exploits, publicly available since late January 2025, accelerate this phase, enabling rapid mass exploitation.
2 Privilege Escalation: Once a foothold is established, the attackers exploit the authentication bypass to gain super-admin access. This grants them control over firewall configurations, VPN settings, and connected network segments—essentially handing them the keys to the kingdom.
3 Lateral Movement: With admin privileges, the attackers leverage Windows Management Instrumentation (WMIC) and Secure Shell (SSH) to move laterally across the network. They target high-value assets such as domain controllers, authentication servers, and database systems, harvesting credentials and mapping network topology.
4 Payload Delivery: The ransomware payload, dubbed “SuperBlack,” is deployed to encrypt critical systems. SuperBlack is a custom strain derived from the LockBit 3.0 builder, which leaked in 2022. It uses a robust encryption algorithm (likely AES-256 paired with RSA-2048 for key exchange), rendering data inaccessible without the decryption key.
5 Data Exfiltration and Cleanup: Before encryption, attackers exfiltrate sensitive data using a bespoke tool unique to this campaign. Post-encryption, they deploy a wiper tool to erase evidence, complicating forensic analysis. A ransom note, often containing a Tox chat ID linked to LockBit, is left behind.
This multi-stage approach reflects the evolution of ransomware-as-a-service (RaaS) operations, where specialized teams collaborate to maximize impact. For seasoned cybersecurity professionals, the use of WMIC and SSH highlights the importance of monitoring internal traffic for anomalous behavior.
The LockBit Connection: Decoding SuperBlack
The ties to LockBit—a prolific RaaS group disrupted by law enforcement in 2024—add a layer of complexity to this threat. SuperBlack shares code lineage with LockBit 3.0, including its encryption routines and ransom note structure. However, its operational signature suggests a distinct threat actor, potentially an affiliate or splinter group leveraging LockBit’s toolkit. Key indicators include:
• Tox Chat ID: The ransom note includes a Tox ID previously associated with LockBit operations, a peer-to-peer encrypted messaging protocol favored by ransomware actors.
• Post-Exploitation Patterns: The use of WMIC for remote execution and SSH for lateral movement mirrors tactics seen in earlier LockBit campaigns.
• Wiper Tool: The deployment of a wiper post-encryption aligns with LockBit’s aggressive data destruction tactics, though its implementation here is customized.
For technical experts, this suggests a fragmented ransomware ecosystem where leaked tools like the LockBit 3.0 builder empower new players. The adaptability of these actors—exploiting zero-days within days of PoC release—underscores the need for threat intelligence feeds and behavioral analytics to stay ahead.
Mitigation Strategies: Hardening Your Fortinet Defenses
For cybersecurity practitioners, defending against this threat requires a multi-layered approach. Here are actionable steps to secure Fortinet firewalls and mitigate ransomware risks:
1 Patch Immediately: Apply the latest FortiOS updates (version 7.0.16 or later) to address CVE-2024-55591 and CVE-2025-24472. Verify patch status across all devices using automated asset management tools.
2 Restrict Management Access: Disable or limit access to FortiGate management interfaces (e.g., HTTPS, SSH) from the public internet. Use VPNs or IP whitelisting to enforce strict access controls.
3 Audit Administrator Accounts: Review and reset credentials for all admin accounts. Enable multi-factor authentication (MFA) to prevent privilege escalation via stolen credentials.
4 Enable Comprehensive Logging: Configure detailed logging on FortiGate devices and forward logs to a SIEM system. Look for indicators of compromise (IoCs) such as unusual HTTPS requests or WMIC activity.
5 Network Segmentation: Isolate critical systems (e.g., domain controllers, databases) from firewall-adjacent segments to limit lateral movement. Use micro-segmentation where possible.
6 Deploy EDR Solutions: Install endpoint detection and response (EDR) tools on servers and workstations to detect and block ransomware execution. Ensure real-time monitoring and threat hunting capabilities.
7 Backup and Test: Maintain offline, encrypted backups of critical data. Regularly test restoration processes to ensure rapid recovery post-attack.
For organizations with high-availability (HA) FortiGate clusters, verify that compromised configurations aren’t replicated across devices—a tactic observed in these attacks. Penetration testing and red team exercises can further validate your defenses.
The Bigger Picture: Ransomware Trends in 2025
This campaign is a microcosm of broader ransomware trends in 2025. The rapid exploitation of zero-day vulnerabilities, the reuse of leaked RaaS toolkits, and the targeting of edge devices like firewalls signal a shift toward infrastructure-focused attacks. For cybersecurity veterans, this reinforces the need for a zero-trust architecture, where no device or user is implicitly trusted. The global exposure of FortiGate firewalls—over 31,000 unpatched instances, with the U.S. leading at 7,600—amplifies the urgency of collective action.
Conclusion: Staying Ahead of the Threat
The exploitation of Fortinet firewall vulnerabilities by LockBit-linked hackers is a wake-up call for cybersecurity professionals. As of March 17, 2025, this threat is active and evolving, demanding swift response and robust defenses. By understanding the technical nuances of CVE-2024-55591 and CVE-2025-24472, dissecting the attack chain, and implementing targeted mitigations, you can protect your organization from this ransomware onslaught. Stay vigilant, patch diligently, and leverage advanced security tools to outpace these adversaries. The battle against ransomware is relentless, but with expertise and preparation, we can hold the line.