Fortinet Exploits: Qilin Ransomware Attacks
- The Qilin ransomware operation, also known as Phantom Mantis, has added attacks exploiting Fortinet vulnerabilities to its arsenal.
- Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation.
- PRODAFT, a threat intelligence firm, discovered the new, partially automated qilin ransomware attacks targeting Fortinet flaws.
The Qilin ransomware group is actively exploiting Fortinet flaws, delivering a potent threat to networks worldwide. Attackers are leveraging authentication bypass and remote code execution vulnerabilities, primarily targeting organizations in spanish-speaking countries. This marks a significant escalation in cyberattacks, with victims including major organizations and even NHS hospitals, severely disrupting services. News Directory 3 reports on the new, partially automated campaigns and the zero-day exploits. With the threat landscape constantly evolving, and considering the past zero-day use of the secondary_keyword “Fortinet vulnerabilities”, what defensive measures can you take to safeguard your systems? Discover what’s next as the attacks widen.
Qilin Ransomware Exploits Fortinet Flaws in attacks
Updated June 07, 2025
The Qilin ransomware operation, also known as Phantom Mantis, has added attacks exploiting Fortinet vulnerabilities to its arsenal. Thes flaws allow attackers to bypass authentication and remotely execute malicious code on vulnerable devices.
Qilin surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation. It has since claimed over 310 victims on its dark web leak site. The group’s targets have included automotive giant Yangfeng, publishing house Lee Enterprises, Australia’s Court Services Victoria, and Synnovis, a pathology services provider. the attack on Synnovis disrupted several major NHS hospitals in London,leading to the cancellation of hundreds of appointments and operations.
PRODAFT, a threat intelligence firm, discovered the new, partially automated qilin ransomware attacks targeting Fortinet flaws. They noted that the threat actors are focusing on organizations in Spanish-speaking countries. However, they anticipate the campaign will expand globally.
“Phantom Mantis recently launched a coordinated intrusion campaign targeting multiple organizations between May and June 2025,” PRODAFT said in a flash alert. “We assess with moderate confidence that initial access is being achieved by exploiting several FortiGate vulnerabilities,including CVE-2024-21762,CVE-2024-55591,and others.”
According to PRODAFT, the group selects targets opportunistically, rather than following strict geographical or sector-based patterns, despite the focus on Spanish-speaking countries.

CVE-2024-55591,one of the exploited flaws,was previously used as a zero-day by other threat groups to breach FortiGate firewalls as early as November 2024. The Mora_001 ransomware operator also used it to deploy the SuperBlack ransomware, which is linked to the LockBit cybercrime gang.
CVE-2024-21762, another Fortinet vulnerability exploited by Qilin, was patched in February.CISA added it to its catalog of actively exploited security flaws, ordering federal agencies to secure their FortiOS and FortiProxy devices by Feb. 16.
The Shadowserver Foundation reported nearly 150,000 devices remained vulnerable to CVE-2024-21762 attacks almost a month later.
Fortinet security vulnerabilities are often exploited in cyber espionage campaigns and ransomware attacks. In February,Fortinet disclosed that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger custom remote access trojan (RAT) malware. This malware had previously been used to backdoor a Dutch Ministry of defence military network.
What’s next
Organizations using Fortinet products should apply the latest patches and monitor their systems for suspicious activity to mitigate the risk of Qilin ransomware attacks. Vigilance and proactive security measures are crucial to defend against evolving cyber threats.
