The Qilin ransomware group, also tracked as Phantom Mantis, has launched a wave of attacks targeting unpatched Fortinet devices, exploiting critical vulnerabilities to bypass authentication and remotely deploy malicious code.
According to cybersecurity firm PRODAFT, Qilin began a coordinated campaign between May and June 2025 using Fortinet vulnerabilities CVE-2024-21762 and CVE-2024-55591.
Qilin, which has been operating as a Ransomware-as-a-Service (RaaS) since 2022, has publicly claimed over 310 victims. Its past targets include high-profile organizations such as auto manufacturer Yangfeng, media giant Lee Enterprises, Australia's Court Services Victoria, and UK pathology provider Synnovis. In the last case, the breach disrupted NHS services across several London hospitals.
PRODAFT notes a surge in attacks against Spanish-speaking countries, although analysts say that Qilin's selection process remains opportunistic.
One of the exploited flaws, CVE-2024-55591, had previously been used as a zero-day in attacks dating back to November 2024. The SuperBlack ransomware, tied to the LockBit cybercrime group, also leveraged this vulnerability. The other flaw, CVE-2024-21762, was patched in February 2025, yet nearly 150,000 systems remain exposed, according to the data from the Shadowserver Foundation.
Fortinet devices have increasingly become prime targets for both ransomware groups and state-sponsored actors. In February, Chinese APT group Volt Typhoon exploited CVE-2022-42475 in FortiOS sslvpnd to deploy the custom COATHANGER malware in a cyber-espionage campaign affecting the Dutch Ministry of Defense.
