SuperBlack Ransomware Exploits Fortinet Vulnerabilities for Unauthorized Access

A new ransomware group known as ‘Mora_001’ has been identified exploiting two authentication bypass vulnerabilities in Fortinet firewall appliances to deploy a custom ransomware strain named ‘SuperBlack’.

Exploited Vulnerabilities:

CVE-2025-24472: Initially fixed in January 2025, this vulnerability enables remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests. Although Fortinet initially stated they were unaware of active exploitation, recent reports indicate that ‘Mora_001’ began exploiting this flaw as early as February 2, 2025.

CVE-2024-55591: Disclosed by Fortinet in January 2025, this vulnerability allows attackers to bypass authentication by sending crafted requests to the Node.js WebSocket module. It has been actively exploited as a zero-day since at least November 2024

Attack Methodology:

The ‘Mora_001’ group targets unpatched Fortinet devices by exploiting the aforementioned vulnerabilities to gain unauthorized access. Once inside, they deploy the ‘SuperBlack’ ransomware, encrypting data and demanding payment from victims.​

Recommendations for Fortinet Device Administrators:

Immediate Patching: Ensure all Fortinet devices are updated to the latest firmware versions that address these vulnerabilities. Fortinet has released patches for both CVE-2024-55591 and CVE-2025-24472.​

Review Security Advisories: Regularly consult Fortinet’s security advisories to stay informed about known vulnerabilities and recommended mitigations.​

Monitor Network Traffic: Implement continuous monitoring to detect unusual activities that may indicate exploitation attempts.​

Restrict Access: Limit access to management interfaces of Fortinet devices to trusted networks and administrators only.​

Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification for administrative access.​

By proactively addressing these vulnerabilities and strengthening security measures, organizations can mitigate the risks posed by the ‘SuperBlack’ ransomware and similar threats.

Ref : https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-exploits-fortinet-auth-bypass-flaws/

Related documents

Who to contact