A comprehensive analysis of Fortinet’s exploitation crisis and why hospitals keep getting hit

Executive Summary

While the cybersecurity world focused on SonicWall’s troubles, Fortinet products have quietly become one of the most frequently exploited attack vectors in modern ransomware campaigns—with healthcare bearing the brunt of the damage. With 20 CVEs on CISA’s Known Exploited Vulnerabilities catalog and active exploitation by groups like Qilin, Akira, and Mora_001, Fortinet devices have become a favorite entry point for ransomware operators targeting hospitals, clinics, and healthcare providers.

In 2024 alone, healthcare suffered 444 reported cyber incidents (238 ransomware, 206 data breaches)—more than any other US critical infrastructure sector. A staggering 592 regulatory filings were submitted to HHS, impacting 259 million Americans. Behind many of these attacks: compromised Fortinet firewalls.

This isn’t a theoretical risk—it’s an ongoing crisis that’s disrupting patient care, canceling surgeries, and exposing sensitive medical records at an unprecedented scale.

Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial ServicesA comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers Executive Summary In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal andBreached CompanyBreached Company

The Current Crisis: Recent Fortinet Exploits

November 2025: FortiWeb Zero-Days (CVE-2025-64446 & CVE-2025-58034)

The Attack: In October 2025, attackers began exploiting CVE-2025-64446, a path traversal vulnerability in Fortinet’s FortiWeb web application firewall, to gain administrative access without authentication.

What makes this worse: Fortinet quietly patched the vulnerability on October 28 but didn’t publicly disclose it until November 14—17 days later—only confirming exploitation after security researchers independently discovered it.

Key Details:

  • CVSS Score: 9.1-9.8 (Critical)
  • Impact: Complete device takeover, administrative access
  • Timeline: Exploited since early October, disclosed mid-November
  • Added to CISA KEV: November 14, 2025 (7-day remediation deadline)
  • Second vulnerability: CVE-2025-58034 (authenticated command injection) discovered being chained with the first

The Delayed Disclosure Problem: Security researcher Ryan Emmons from Rapid7 was scathing in his assessment: “Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency… When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.

By the time Fortinet publicly disclosed CVE-2025-64446, attackers had been exploiting it for over a month.

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America’s Most Critical Network Infrastructure$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can’t Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for bothBreached CompanyBreached Company

May-June 2025: Qilin Ransomware’s Coordinated Campaign

The Attack: The prolific Qilin ransomware group (responsible for over $50 million in 2024 ransoms alone) launched a coordinated campaign exploiting multiple Fortinet vulnerabilities simultaneously.

Targeted Vulnerabilities:

  • CVE-2024-21762 (patched February 2024)
  • CVE-2024-55591 (exploited as zero-day since November 2024)
  • Multiple others in automated, partially-scripted attacks

Healthcare Impact:

  • Synnovis attack: Crippled pathology services for several major NHS hospitals in London
  • Over 10,000 appointments and procedures canceled (not 700+ as initially reported)
  • Hospital services disrupted for weeks
  • Geographic focus: Spanish-speaking countries initially, expanding globally

Threat intelligence firm PRODAFT assessed with “moderate confidence” that Qilin achieved initial access by exploiting FortiGate vulnerabilities, using partially automated tools to scan for and compromise vulnerable devices at scale.

For comprehensive analysis of Qilin’s rise to dominance, see our in-depth article: The Ransomware-as-a-Service Ecosystem in Late 2025: From LockBit’s Disruption to the Rise of Qilin, Akira, and DragonForce.

January-March 2025: Mora_001/SuperBlack Ransomware

The Attack: A new ransomware group called Mora_001, with suspected ties to the disbanded LockBit operation, deployed a novel ransomware strain dubbed “SuperBlack” after exploiting two Fortinet bugs.

Exploited Vulnerabilities:

  • CVE-2024-55591 (authentication bypass)
  • CVE-2025-24472 (authentication bypass via alternate path)

The LockBit Connection: Forescout researchers found SuperBlack closely resembles LockBit 3.0 ransomware, suggesting either:

  • Current affiliation with LockBit remnants
  • Use of leaked LockBit 3.0 builder from 2022
  • Shared infrastructure and tools

CISA’s Urgent Response: CISA gave federal agencies just one week to patch CVE-2024-55591—one of the shortest deadlines ever issued—underscoring the severity of active exploitation.

May 2025: Zero-Day Exploitation (CVE-2025-32756)

The Attack: Multiple threat groups exploited a critical stack-based buffer overflow in Fortinet’s FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera platforms.

Key Details:

  • CVSS Score: 9.6 (Critical)
  • Impact: Remote code execution without authentication
  • Affected Products: Unified communications, email security, network detection, video surveillance
  • Exploitation: Fortinet confirmed in-the-wild exploitation before releasing patch
  • Added to CISA KEV: May 2025

The Broader Pattern: GreyNoise reported a surge in scanning activity targeting Fortinet devices in early 2025, noting that 80% of similar traffic spikes have historically preceded CVE disclosures within six weeks.

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure ItselfHow the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-dayBreached CompanyBreached Company

Healthcare: The Primary Victim

Why Healthcare is Ransomware’s Favorite Target

Healthcare organizations face a perfect storm of vulnerabilities that make them ideal ransomware victims:

  • Life-or-Death Pressure: Unlike other sectors, hospital downtime directly impacts patient care, creating immense pressure to pay ransoms quickly
  • Valuable Data: Medical records fetch premium prices on dark web markets
  • Legacy Systems: Many hospitals run outdated equipment that can’t be easily patched
  • Limited Security Budgets: 42% of healthcare ransomware victims cited “lack of people and capacity” as contributing factor
  • Regulatory Complexity: HIPAA and state breach notification laws add compliance pressure
  • Consolidation Targets: Hospital mergers create larger, more lucrative targets

The 2024-2025 Healthcare Ransomware Catastrophe

By The Numbers:

  • 444 reported incidents in 2024 (highest of any critical infrastructure sector)
  • 238 ransomware attacks (second only to critical manufacturing’s 258)
  • 206 data breaches
  • 592 regulatory filings to HHS Office for Civil Rights
  • 259 million Americans impacted (entire US population nearly affected)
  • 66% of healthcare organizations hit by ransomware in 2024 (four-year high)

Major 2024-2025 Healthcare Incidents:

Change Healthcare (February 2024)

  • Impact: 190 million Americans (largest healthcare breach in history)
  • Attacker: ALPHV/BlackCat ransomware
  • Damage: Disrupted prescription processing nationwide for weeks
  • Congressional Response: Senate hearings, calls for enhanced CMS/HHS emergency powers

Ascension Health (May 2024)

  • Scope: 142 hospitals across 19 states
  • Impact: 5.6 million patients affected
  • Downtime: Electronic health record systems offline for 4 weeks
  • Consequences: Delayed care, manual workarounds, patient safety concerns

Blue Shield of California (Early 2025)

  • Impact: 4.7 million individuals
  • Part of: Larger series affecting multiple healthcare providers

HealthEquity (March 2024)

  • Impact: 4.3 million patients
  • Vector: Compromised partner device

The Shifting Tactics: Data Extortion Over Encryption

A troubling new trend has emerged in healthcare ransomware: attackers are increasingly skipping encryption entirely and focusing purely on data extortion.

2025 Healthcare Ransomware Statistics (Sophos Report):

  • Only 34% of attacks resulted in encryption (down from 74% in 2024)
  • 12% were extortion-only attacks (tripled from 4% in 2022-2023)
  • Attacks stopped before encryption: Five-year high
  • Mean recovery cost: $1.02 million (down 60% from 2024’s $2.57 million)

What This Means:

  • Healthcare defenses are improving at detecting and stopping encryption
  • Attackers are adapting by threatening to leak stolen data without encrypting anything
  • Medical records, patient data, and research information are valuable enough to extort without disrupting systems
  • Organizations still face massive HIPAA violations and reputational damage

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats CollideExecutive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentialsSecurity Careers HelpSecurity Careers

Vulnerability Exploitation: The New Primary Vector

For the first time in three years, exploited vulnerabilities overtook credential-based attacks as the most common root cause of healthcare breaches in 2025, used in 33% of incidents.

Translation: Unpatched systems—including Fortinet firewalls—are now the #1 way attackers are breaching hospitals.

The 88 Ransomware Groups Targeting Healthcare

Sophos X-Ops identified 88 distinct threat groups targeting healthcare organizations in 2024-2025. The most prominent:

  • GOLD FEATHER (Qilin) - Most active overall, $50M+ in 2024 ransoms, 81 attacks in June 2025 alone
  • GOLD IONIC (INC Ransom) - Healthcare specialist
  • GOLD HUBBARD (RansomHub) - Dominated until March 2025 disruption
  • Akira - $244 million in total proceeds, fastest-moving attacks
  • LockBit variants (including Mora_001/SuperBlack)

Qilin’s Major Healthcare Victims:

  • Synnovis Laboratories (NHS): 10,000+ appointments canceled
  • Covenant Health: 7,864 individuals affected (May 2025)
  • Multiple healthcare facilities in coordinated August 2025 attacks

For detailed analysis of how these groups evolved after LockBit’s disruption, see: The Ransomware-as-a-Service Ecosystem in Late 2025.

Fortinet’s Four-Year Exploitation History: 20 CVEs on CISA KEV

Like SonicWall, Fortinet has become a persistent target for ransomware operators. With 20 vulnerabilities on CISA’s Known Exploited Vulnerabilities catalog, Fortinet ties SonicWall for second-worst among firewall vendors (behind only Ivanti’s 16 since January 2024).

Timeline of Major Fortinet Exploits

2019-2021: The Early Warning Signs

CVE-2019-19781 (Citrix, often deployed alongside Fortinet)

  • Early indication that VPN/firewall appliances were becoming primary targets
  • Set pattern for future campaigns

2022: Critical Buffer Overflow

CVE-2022-42475 (FortiOS - Buffer Overflow)

  • CVSS: Critical
  • Impact: Remote code execution
  • Exploitation: Nation-state actors and ransomware groups
  • Persistence Method: Attackers developed symlink-based persistence to survive patches
  • Added to CISA KEV: 2022

The Persistence Problem: In April 2025, Fortinet warned that threat actors had developed a post-exploitation technique that maintains read-only access even after patching—affecting over 14,000 FortiGate devices globally.

2023: Continuing Pressure

CVE-2023-27997 (FortiOS - Heap Buffer Overflow)

  • Impact: Pre-authentication remote code execution
  • Targets: FortiOS, FortiProxy
  • Exploitation: Active exploitation in nation-state campaigns
  • Added to CISA KEV: 2023

CVE-2023-48788 (FortiClientEMS - SQL Injection)

  • CVSS: 9.3 (Critical)
  • Impact: Unauthorized code execution
  • Target: Endpoint Management Server
  • Added to CISA KEV: 2024

2024: Zero-Day Surge

CVE-2024-21762 (FortiOS/FortiProxy - Out-of-Bounds Write)

  • Disclosed: February 2024
  • CVSS: 9.6 (Critical)
  • Impact: Remote code execution
  • Exploitation: Qilin ransomware, various APT groups
  • Added to CISA KEV: February 2024
  • March 2024: Shadowserver found nearly 150,000 devices still vulnerable one month after CISA deadline

CVE-2024-55591 (FortiOS - Authentication Bypass) - THE BIG ONE FOR 2024-2025

  • Disclosed: December 2024 (exploited as zero-day since November 2024)

  • CVSS: 9.8 (Critical)

  • Impact: Complete device compromise without authentication Exploitation:

  • Mora_001/SuperBlack ransomware (January-March 2025)

  • Qilin ransomware (May-June 2025)

  • Multiple nation-state actors

  • Added to CISA KEV: January 2025

  • Federal Deadline: 7 days (one of shortest ever issued)

2025: Crisis Accelerates

CVE-2025-24472 (FortiOS/FortiProxy - Authentication Bypass via Alternate Path)

  • Disclosed: January 2025
  • CVSS: 8.1 (High)
  • Impact: Super-admin privileges via crafted requests
  • Exploitation: Used alongside CVE-2024-55591 by Mora_001 in January-March 2025 campaign
  • Added to CISA KEV: March 2025

CVE-2025-32756 (Multiple Products - Stack Buffer Overflow)

  • Disclosed: May 2025
  • CVSS: 9.6 (Critical)
  • Affected Products: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera
  • Impact: Remote code execution without authentication
  • Exploitation: Confirmed in-the-wild, starting with FortiVoice
  • Added to CISA KEV: May 2025

CVE-2025-64446 (FortiWeb - Path Traversal/Authentication Bypass)

  • Patched: October 28, 2025 (silently)
  • Disclosed: November 14, 2025 (17 days later)
  • CVSS: 9.1 (Critical)
  • Impact: Complete administrative compromise
  • Exploitation: Active since early October 2025
  • Added to CISA KEV: November 14, 2025 (7-day deadline)

CVE-2025-58034 (FortiWeb - OS Command Injection)

  • Disclosed: November 18, 2025
  • Impact: Authenticated code execution
  • Chaining: Used with CVE-2025-64446 for full compromise
  • Added to CISA KEV: November 18, 2025

January 2025: Data Leak Crisis

In January 2025, the hacker collective “Belsen Group” leaked data from 15,000 Fortinet firewall configurations, obtained through exploitation of CVE-2022-42475.

Leaked Data Included:

  • IP addresses
  • Administrative passwords
  • Complete firewall configurations
  • Network topology information

Security researcher Kevin Beaumont confirmed the data’s authenticity by mapping it to internet-exposed Fortinet devices on Shodan.

The Pattern: Why Fortinet Keeps Getting Hit

  • Widespread Deployment: Fortinet is one of the world’s largest firewall vendors, making it a high-value target
  • Internet-Facing Management Interfaces: Many organizations expose administrative panels to the internet
  • Complex Product Line: Multiple products (FortiOS, FortiProxy, FortiWeb, FortiMail, FortiVoice, etc.) expand attack surface
  • Delayed Patching: Organizations struggle to patch on Fortinet’s timelines, especially in healthcare
  • Post-Patch Persistence: Attackers have developed techniques to maintain access even after patching
  • Zero-Day Exploitation: Multiple Fortinet products have been exploited as zero-days before patches exist
  • Credential Harvesting: When devices are compromised, attackers steal configurations and credentials for future use

The 15,000 Device Leak: A Supply Chain Time Bomb

The January 2025 Belsen Group leak represents a ticking time bomb for organizations running Fortinet equipment. With administrative credentials, network configurations, and firewall rules exposed for 15,000 devices globally, attackers have a roadmap for future breaches.

Why This Matters:

  • Credentials may still be valid if organizations didn’t rotate them
  • Network topology reveals internal architecture
  • Firewall rules show what services are exposed
  • VPN configurations reveal remote access points
  • Configuration files contain encryption keys and certificates

Geographic Distribution: Global exposure across healthcare, government, education, and enterprise sectors.

Industry Comparisons: Fortinet vs. Other Vendors

CISA KEV Appearances (Firewall/VPN Vendors):

  • Ivanti: 16 CVEs (since January 2024) - Worst performer
  • Fortinet: 20 CVEs (since 2019) - Second worst by volume
  • SonicWall: 14 CVEs (since late 2021) - Third
  • Palo Alto Networks: Multiple critical CVEs, but fewer KEV entries
  • Cisco: Targeted by Akira, but less frequent KEV appearances

Fortinet’s Distinction: While not the highest count, Fortinet has seen some of the fastest exploit development and most widespread campaigns. The CVE-2024-55591 campaign affected organizations globally within weeks of disclosure.

The Healthcare Crisis: Why Fortinet Matters

Fortinet’s Market Position in Healthcare

Fortinet is deployed extensively in healthcare environments because:

  • Cost-effective compared to enterprise alternatives
  • Integrated security platform (SIEM, firewall, WAF, email security)
  • Compliance features for HIPAA and other regulations
  • Telemedicine support during COVID-19 accelerated adoption

The Problem: These same cost and integration benefits mean that when Fortinet devices are compromised, attackers gain a foothold in the entire security infrastructure.

Case Study: The Qilin-Synnovis Attack

The June 2024 Qilin ransomware attack on Synnovis demonstrates the real-world healthcare impact of Fortinet exploitation:

Attack Vector: FortiGate vulnerability exploitation (likely CVE-2024-21762 or CVE-2024-55591)

Impact:

  • Pathology services for multiple major NHS hospitals in London disrupted
  • Over 10,000 appointments and procedures canceled (not the initially reported 700-800)
  • Blood transfusion services affected across London hospitals
  • Manual workarounds required for weeks
  • Patient safety incidents documented
  • 3TB of sensitive data including patient records compromised

Financial Damage: Estimated millions in lost revenue, response costs, and patient care impacts

Regulatory Consequences: ICO investigation, potential GDPR fines, NHS contract review

Long-term Impact: The attack continued to reverberate through 2025, with the NHS identifying it as one of the most significant cyber incidents affecting UK healthcare infrastructure.

For comprehensive coverage of the UK healthcare cyber crisis, including the Synnovis aftermath, see: UK Cyber Security Crisis 2025: The Year of Retail Ransomware and Healthcare Havoc.

The Cascade Effect: Why One Fortinet Breach Affects Dozens of Hospitals

Healthcare operates as an interconnected ecosystem. When a vendor, pathology lab, pharmacy benefit manager, or other service provider is breached via Fortinet exploitation, the damage cascades:

Example Cascade:

  • Pathology lab compromised via FortiGate vulnerability
  • Attacker gains access to lab’s connections with 50+ hospitals
  • Lateral movement to hospital networks through trusted relationships
  • Exfiltration of patient records from multiple facilities
  • Encryption or extortion affecting dozens of organizations simultaneously

This is exactly what happened in the Change Healthcare breach—one compromise affected healthcare delivery nationwide.

The Delayed Disclosure Problem: Why Silent Patching Hurts Healthcare

Fortinet’s handling of CVE-2025-64446 highlights a critical issue: delayed public disclosure after silent patching.

The Timeline That Failed Defenders

October 6, 2025: Security researchers at Defused detect FortiWeb vulnerability being exploited October 28, 2025: Fortinet releases patch in FortiWeb 8.0.2 October 28-November 14: 17-day silence—No CVE assigned, no public advisory, no customer notification November 14, 2025: Fortinet finally discloses CVE-2025-64446 and confirms exploitation November 14, 2025: CISA adds to KEV with 7-day remediation deadline

Why This Approach Fails

The Healthcare Patch Problem:

  • Hospitals can’t patch what they don’t know exists
  • Change management requires testing, scheduling, board approval
  • Healthcare organizations follow strict change control (IT changes can disrupt patient care)
  • Many waited for “routine maintenance windows” not knowing the severity

The Defender Disadvantage: Security researcher Ryan Emmons explained: “Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed.”

The Result: Attackers had a 6-week head start (early October to mid-November) exploiting a vulnerability defenders didn’t know existed.

Industry Criticism

Researchers and CISOs have been scathing about Fortinet’s disclosure practices:

  • No CVE assignment for 17 days delayed industry awareness
  • No indicators of compromise provided, making detection nearly impossible
  • Release notes for FortiWeb 8.0.2 contained no vulnerability references
  • Security community couldn’t coordinate defenses without public information
  • GreyNoise and other threat intelligence firms were tracking suspicious activity but couldn’t attribute it

As one researcher put it: “Obscurity hurts defenders more than it impedes attackers.”

The GreyNoise Warning: Predictive Traffic Spikes

GreyNoise, a threat intelligence firm that monitors internet scanning activity, issued a stark warning in late 2025: they detected a surge in malicious traffic targeting Fortinet devices, specifically focusing on FortiSIEM management interfaces.

The Historical Pattern:

  • 80% of previous similar traffic spikes were followed by CVE disclosures within six weeks
  • GreyNoise had observed this pattern repeatedly with Fortinet products
  • The spikes indicate attackers are reconnaissance for vulnerable devices before public disclosure

CVE-2025-25256 (FortiSIEM - OS Command Injection):

  • CVSS: 9.8 (Critical)
  • Affected: FortiSIEM versions 5.4 through 7.3.1
  • Impact: Unauthenticated remote code execution
  • Discovery: “Practical exploit code found in the wild”
  • No distinctive IoCs: Makes detection nearly impossible

The Shift in Attacker Behavior: GreyNoise noted that instead of targeting individual SSL VPN endpoints, attackers are now focusing on centralized management infrastructure to gain access to multiple FortiGate devices simultaneously.

Translation: Compromise one FortiManager, control dozens or hundreds of firewalls.

The Federal Response: CISA’s Aggressive Stance

CISA has taken an increasingly aggressive stance on Fortinet vulnerabilities, issuing some of the shortest remediation deadlines in KEV catalog history.

Notable CISA Actions:

CVE-2024-55591: 7-day deadline (January 2025)

  • One of the shortest federal deadlines ever issued
  • Indicated CISA’s high confidence in active, widespread exploitation
  • Federal agencies scrambled to meet deadline

CVE-2025-64446: 7-day deadline (November 2025)

  • Issued immediately upon disclosure
  • CISA aware of exploitation since early October
  • Hospitals and critical infrastructure urged to treat as emergency

BOD 23-02 Invocation: CISA specifically called out internet-exposed management interfaces as creating unacceptable risk, directly targeting Fortinet deployment patterns.

What Federal Deadlines Mean for Healthcare

When CISA issues 7-day deadlines, it’s signaling to the broader cybersecurity community: this is being actively exploited at scale and you need to act immediately.

For healthcare organizations, this creates a dilemma:

  • Patch immediately and risk disrupting patient care if something breaks
  • Wait for testing and risk ransomware attack encrypting all systems

Many hospitals have chosen door #2, with catastrophic results.

The CISA Quote That Says It All

In multiple advisories related to Fortinet vulnerabilities, CISA included this stark warning:

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” Translation: Fortinet vulnerabilities are being actively, repeatedly weaponized by ransomware groups and nation-states.

What Healthcare Organizations Must Do Now

Immediate Actions (This Week)

Emergency Patch Assessment

  • Identify all Fortinet devices in your environment (FortiGate, FortiWeb, FortiMail, FortiProxy, FortiSIEM, etc.)
  • Cross-reference against CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Prioritize: CVE-2025-64446, CVE-2025-58034, CVE-2024-55591, CVE-2025-24472, CVE-2025-32756

Immediate Remediation

  • Apply all available patches from Fortinet PSIRT advisories
  • Critical: Even if patched, rotate all administrative credentials
  • Disable internet-facing management interfaces
  • Implement geo-IP restrictions on VPN access

Compromise Assessment

  • Search logs for IOCs related to known Fortinet exploits
  • Check for unauthorized administrative accounts
  • Review firewall configuration changes in past 6 months
  • Engage forensics team if any suspicious activity found

Short-Term Actions (This Month)

Vendor Risk Reassessment

  • Evaluate whether Fortinet’s disclosure practices meet your risk tolerance
  • Compare incident response between Fortinet vs. alternatives
  • Consider migration timeline if risk is unacceptable

Defense in Depth

  • Deploy EDR/XDR solutions on all endpoints
  • Implement network segmentation (don’t rely solely on firewall)
  • Deploy deception technology (honeypots) to detect lateral movement
  • Enable MFA everywhere, especially VPN and administrative access

Backup Verification

  • Ensure offline, immutable backups of all critical systems
  • Test restoration procedures (ransomware assumes you can’t restore)
  • Store backups off-network and offsite

Long-Term Strategy

Zero Trust Architecture

  • Assume your perimeter is already compromised
  • Implement continuous verification of all users and devices
  • Micro-segmentation to limit lateral movement
  • Eliminate implicit trust between systems

Threat Intelligence Integration

  • Subscribe to feeds like GreyNoise, Shodan, Censys
  • Monitor for scanning activity targeting your devices
  • Join healthcare ISACs for sector-specific intelligence

Board-Level Reporting

  • Present Fortinet risk profile to board and executive leadership
  • Quantify potential impact (patient care disruption, regulatory fines)
  • Request budget for remediation or migration

Regulatory Compliance

  • Update HIPAA risk assessments to reflect Fortinet vulnerabilities
  • Document remediation efforts for OCR audits
  • Prepare breach notification procedures

The Uncomfortable Questions Leadership Must Answer

  • When a firewall vendor has 20 CVEs on CISA’s Known Exploited Vulnerabilities catalog, at what point does continuing to use their products become negligent?
  • If Fortinet takes 17 days to publicly disclose an actively exploited zero-day, how can we rely on them to protect patient data?
  • When healthcare ransomware attacks have impacted 259 million Americans in a single year, mostly through unpatched vulnerabilities, why are we still falling behind on patching?
  • If 42% of healthcare organizations cite “lack of people and capacity” as a security failure contributor, why aren’t boards investing in cybersecurity staff?
  • When a single Fortinet compromise can cascade to affect dozens of hospitals through trusted vendor relationships, why are we still treating vendor risk as a checkbox exercise?

These aren’t rhetorical questions—they’re the questions regulatory bodies, plaintiff attorneys, and congressional committees will ask after the next major healthcare breach.

Lessons from the SonicWall Comparison

In our recent analysis of the Marquis Software breach (which exposed 788,000 bank customers through SonicWall exploitation), we documented SonicWall’s 14 CVEs on CISA KEV and ongoing targeting by Akira ransomware.

The Parallel is Clear:

  • Both vendors have 14-20 CVEs on CISA KEV
  • Both are repeatedly exploited by the same ransomware groups (Akira, Qilin, LockBit variants)
  • Both suffer from post-patch persistence techniques
  • Both have customers who remain unpatched for months after disclosure
  • Both have delayed disclosure issues

The Difference:

  • SonicWall primarily impacts financial services and SMBs
  • Fortinet breaches are devastating healthcare and critical infrastructure

The human cost of Fortinet exploitation—canceled surgeries, delayed cancer treatments, disrupted pathology services—is immeasurably higher.

Conclusion: Healthcare Cannot Afford Business as Usual

The evidence is overwhelming: Fortinet products are under sustained, sophisticated attack by the world’s most dangerous ransomware groups, and healthcare is bearing the brunt of the damage.

With 20 CVEs on CISA’s KEV catalog, active exploitation in ongoing campaigns, delayed disclosure practices, and 444 healthcare incidents in 2024 alone affecting 259 million Americans, the status quo is untenable.

Healthcare CISOs and boards face a critical decision:

  • Accept the risk of continuing with Fortinet, implementing defense-in-depth, and maintaining aggressive patching
  • Migrate away to vendors with better security track records and disclosure practices
  • Hybrid approach: Keep Fortinet where acceptable, but eliminate internet-facing management interfaces and segment critical assets

What’s not acceptable is doing nothing.

The next Synnovis, Change Healthcare, or Ascension breach is not a question of “if”—it’s “when” and “which hospital system.”

Every day of delay in addressing known Fortinet vulnerabilities is a day attackers have to refine their techniques, scan for victims, and prepare their next campaign.

For healthcare organizations responsible for patient safety, the time to act is now—not after the ransomware has already encrypted your systems and stolen your patients’ medical records.

Ransomware-as-a-Service Ecosystem & Major Groups:

Healthcare Ransomware Crisis:

Parallel Firewall Exploitation Analysis:

2025 Threat Landscape & Trends:

External Healthcare & Fortinet Resources:

CISA Resources:

Analysis conducted December 2025. Information compiled from CISA advisories, healthcare sector reports, security vendor research, and threat intelligence. Healthcare organizations should consult with legal counsel and security professionals regarding remediation strategies and regulatory compliance.