In January 2025, Arctic Wolf’s threat research team observed suspicious activity on Fortinet FortiGate firewall devices being exploited by the new SuperBlack ransomware. This vulnerability could jeopardize companies that have not yet applied the patch and highlights the growing threat of targeted cyberattacks.
On January 14, Fortinet published confirmation of a zero-day vulnerability affecting FortiOS and FortiProxy products, labeled CVE-2024-55591. On February 11, the company confirmed another vulnerability labeled CVE-2025-24472.
The new SuperBlack ransomware exploits the latter Fortinet vulnerability to bypass authorization, as was recently reported.
Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf, gives his assessment of the exploitation of the Fortinet vulnerability by SuperBlack ransomware and its significance for cyber security:
“Threat actors are always looking for new ‘revenue streams’. And the Fortinet vulnerabilities are an example of the risks that unpatched vulnerabilities pose to organizations. In the case of Fortinet, there is good news: the patch released by the company should cover both vulnerabilities. However, recent reports suggest that threat actors are now targeting organizations that did not apply the patch or adjust their firewall configurations when the vulnerability was originally disclosed.
As with other known vulnerabilities that have not yet been patched, cybercriminals are quick to exploit this omission. The threat actor responsible for the ransomware campaign described in the Forescout report appears to be using a number of known tools that have been used in previous ransomware activities. However, it adapted its initial access techniques. When the LockBit 3.0 builder was leaked in 2022, numerous groups began using it for their own independent campaigns. This threat actor appears to be doing the same. In addition, the ransomware approach has similarities to that of other groups, such as the now-defunct BlackCat/ALPHV ransomware variant. This illustrates how the threat actors hiding behind the names of ransomware groups change their names and adapt as their incentives and alliances evolve over time.
We recommend that companies that have not yet closed this security gap do so as soon as possible and check the security configuration of their firewall. This is the only way they can prevent themselves from falling victim to this or similar campaigns.”