Fortinet Under Fire: How Firewall Vulnerabilities Are Devastating Healthcare and Critical Infrastructure

Breached Company

Breached Company

18 min read
Fortinet Under Fire: How Firewall Vulnerabilities Are Devastating Healthcare and Critical Infrastructure

A comprehensive analysis of Fortinet's exploitation crisis and why hospitals keep getting hit

Executive Summary

While the cybersecurity world focused on SonicWall's troubles, Fortinet products have quietly become one of the most frequently exploited attack vectors in modern ransomware campaigns—with healthcare bearing the brunt of the damage. With 20 CVEs on CISA's Known Exploited Vulnerabilities catalog and active exploitation by groups like Qilin, Akira, and Mora_001, Fortinet devices have become a favorite entry point for ransomware operators targeting hospitals, clinics, and healthcare providers.

In 2024 alone, healthcare suffered 444 reported cyber incidents (238 ransomware, 206 data breaches)—more than any other US critical infrastructure sector. A staggering 592 regulatory filings were submitted to HHS, impacting 259 million Americans. Behind many of these attacks: compromised Fortinet firewalls.

This isn't a theoretical risk—it's an ongoing crisis that's disrupting patient care, canceling surgeries, and exposing sensitive medical records at an unprecedented scale.

Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial Services
A comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers Executive Summary In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal and
Breached CompanyBreached Company

The Current Crisis: Recent Fortinet Exploits

November 2025: FortiWeb Zero-Days (CVE-2025-64446 & CVE-2025-58034)

The Attack: In October 2025, attackers began exploiting CVE-2025-64446, a path traversal vulnerability in Fortinet's FortiWeb web application firewall, to gain administrative access without authentication.

What makes this worse: Fortinet quietly patched the vulnerability on October 28 but didn't publicly disclose it until November 14—17 days later—only confirming exploitation after security researchers independently discovered it.

Key Details:

  • CVSS Score: 9.1-9.8 (Critical)
  • Impact: Complete device takeover, administrative access
  • Timeline: Exploited since early October, disclosed mid-November
  • Added to CISA KEV: November 14, 2025 (7-day remediation deadline)
  • Second vulnerability: CVE-2025-58034 (authenticated command injection) discovered being chained with the first

The Delayed Disclosure Problem: Security researcher Ryan Emmons from Rapid7 was scathing in his assessment: "Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency... When a vendor has knowledge of product flaws and a patch is published, it's imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers."

By the time Fortinet publicly disclosed CVE-2025-64446, attackers had been exploiting it for over a month.

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America’s Most Critical Network Infrastructure
$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can’t Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for both
Breached CompanyBreached Company

May-June 2025: Qilin Ransomware's Coordinated Campaign

The Attack: The prolific Qilin ransomware group (responsible for over $50 million in 2024 ransoms alone) launched a coordinated campaign exploiting multiple Fortinet vulnerabilities simultaneously.

Targeted Vulnerabilities:

  • CVE-2024-21762 (patched February 2024)
  • CVE-2024-55591 (exploited as zero-day since November 2024)
  • Multiple others in automated, partially-scripted attacks

Healthcare Impact:

  • Synnovis attack: Crippled pathology services for several major NHS hospitals in London
  • Over 10,000 appointments and procedures canceled (not 700+ as initially reported)
  • Hospital services disrupted for weeks
  • Geographic focus: Spanish-speaking countries initially, expanding globally

Threat intelligence firm PRODAFT assessed with "moderate confidence" that Qilin achieved initial access by exploiting FortiGate vulnerabilities, using partially automated tools to scan for and compromise vulnerable devices at scale.

For comprehensive analysis of Qilin's rise to dominance, see our in-depth article: The Ransomware-as-a-Service Ecosystem in Late 2025: From LockBit's Disruption to the Rise of Qilin, Akira, and DragonForce.

January-March 2025: Mora_001/SuperBlack Ransomware

The Attack: A new ransomware group called Mora_001, with suspected ties to the disbanded LockBit operation, deployed a novel ransomware strain dubbed "SuperBlack" after exploiting two Fortinet bugs.

Exploited Vulnerabilities:

  • CVE-2024-55591 (authentication bypass)
  • CVE-2025-24472 (authentication bypass via alternate path)

The LockBit Connection: Forescout researchers found SuperBlack closely resembles LockBit 3.0 ransomware, suggesting either:

  1. Current affiliation with LockBit remnants
  2. Use of leaked LockBit 3.0 builder from 2022
  3. Shared infrastructure and tools

CISA's Urgent Response: CISA gave federal agencies just one week to patch CVE-2024-55591—one of the shortest deadlines ever issued—underscoring the severity of active exploitation.

May 2025: Zero-Day Exploitation (CVE-2025-32756)

The Attack: Multiple threat groups exploited a critical stack-based buffer overflow in Fortinet's FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera platforms.

Key Details:

  • CVSS Score: 9.6 (Critical)
  • Impact: Remote code execution without authentication
  • Affected Products: Unified communications, email security, network detection, video surveillance
  • Exploitation: Fortinet confirmed in-the-wild exploitation before releasing patch
  • Added to CISA KEV: May 2025

The Broader Pattern: GreyNoise reported a surge in scanning activity targeting Fortinet devices in early 2025, noting that 80% of similar traffic spikes have historically preceded CVE disclosures within six weeks.

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure Itself
How the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-day
Breached CompanyBreached Company

Healthcare: The Primary Victim

Why Healthcare is Ransomware's Favorite Target

Healthcare organizations face a perfect storm of vulnerabilities that make them ideal ransomware victims:

  1. Life-or-Death Pressure: Unlike other sectors, hospital downtime directly impacts patient care, creating immense pressure to pay ransoms quickly
  2. Valuable Data: Medical records fetch premium prices on dark web markets
  3. Legacy Systems: Many hospitals run outdated equipment that can't be easily patched
  4. Limited Security Budgets: 42% of healthcare ransomware victims cited "lack of people and capacity" as contributing factor
  5. Regulatory Complexity: HIPAA and state breach notification laws add compliance pressure
  6. Consolidation Targets: Hospital mergers create larger, more lucrative targets

The 2024-2025 Healthcare Ransomware Catastrophe

By The Numbers:

  • 444 reported incidents in 2024 (highest of any critical infrastructure sector)
  • 238 ransomware attacks (second only to critical manufacturing's 258)
  • 206 data breaches
  • 592 regulatory filings to HHS Office for Civil Rights
  • 259 million Americans impacted (entire US population nearly affected)
  • 66% of healthcare organizations hit by ransomware in 2024 (four-year high)

Major 2024-2025 Healthcare Incidents:

Change Healthcare (February 2024)

  • Impact: 190 million Americans (largest healthcare breach in history)
  • Attacker: ALPHV/BlackCat ransomware
  • Damage: Disrupted prescription processing nationwide for weeks
  • Congressional Response: Senate hearings, calls for enhanced CMS/HHS emergency powers

Ascension Health (May 2024)

  • Scope: 142 hospitals across 19 states
  • Impact: 5.6 million patients affected
  • Downtime: Electronic health record systems offline for 4 weeks
  • Consequences: Delayed care, manual workarounds, patient safety concerns

Blue Shield of California (Early 2025)

  • Impact: 4.7 million individuals
  • Part of: Larger series affecting multiple healthcare providers

HealthEquity (March 2024)

  • Impact: 4.3 million patients
  • Vector: Compromised partner device

Read more

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America's Most Critical Network Infrastructure

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America's Most Critical Network Infrastructure

$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can't Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero

lock-1 By Breached Company