Exploitation of Critical Fortinet Vulnerabilities in Qilin Ransomware Campaigns

The Qilin ransomware operation has recently been identified as targeting two critical Fortinet vulnerabilities, enabling threat actors to bypass authentication on affected devices and execute malicious code remotely.

Emerging as a Ransomware-as-a-Service (RaaS) in August 2022 under the alias “Agenda,” Qilin, also known as Phantom Mantis, has now claimed responsibility for over 310 attacks documented on its dark web leak site. Its targets include notable organizations such as the automotive leader Yangfeng, publishing powerhouse Lee Enterprises, and Australia’s Court Services Victoria, alongside pathology service provider Synnovis. The attack on Synnovis severely disrupted several major NHS hospitals in London, leading to the cancellation of numerous medical appointments and procedures.

PRODAFT, a threat intelligence firm, has reported on the automated Qilin ransomware campaigns leveraging specific Fortinet vulnerabilities. The focus is presently on organizations in Spanish-speaking countries, although the campaign is projected to broaden to a more global scale.

“Phantom Mantis initiated a coordinated intrusion effort aimed at various organizations from May to June 2025. Our findings indicate that initial access points are achieved by exploiting several FortiGate vulnerabilities, including CVE-2024-21762, CVE-2024-55591, among others,” states PRODAFT in a detailed alert.

“The data illustrates a marked interest in Spanish-speaking nations, yet the group’s target selection appears more opportunistic rather than directionally constrained by geography or industry sectors.”

Among the vulnerabilities exploited in these campaigns is CVE-2024-55591, which had previously been exploited as a zero-day by other threat actors aiming to breach FortiGate firewalls dating back to November 2024. Operators of Mora_001 ransomware also utilized this vulnerability to deploy the SuperBlack strain, associated with the LockBit cybercrime syndicate.

The second critical vulnerability under attack, CVE-2024-21762, was patched in February, with the Cybersecurity and Infrastructure Security Agency (CISA) classifying it as an actively exploited flaw and mandating that federal authorities secure their FortiOS and FortiProxy devices by February 16.

In the following month, the Shadowserver Foundation revealed that nearly 150,000 devices remained susceptible to attacks leveraging CVE-2024-21762.

Fortinet vulnerabilities, frequently exploited and often utilized as zero days, are commonly seen in both cyber espionage operations and ransomware attacks. For example, Fortinet disclosed that the Chinese Volt Typhoon hacking group leveraged two FortiOS SSL VPN vulnerabilities (CVE-2022-42475 and CVE-2023-27997) to deploy remote access trojan malware, which had previously compromised the Dutch Ministry of Defence’s networks.