FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
After gaining a foothold in thousands of Fortinet firewalls, the attackers are starting to monetize that access, and are also piling on a Nextcloud zero-day bug.
Discover the latest Fortinet cybersecurity insights, updates, and solutions. Protect your information with cutting-edge Fortinet security news and trends.
Search across headline titles and summaries.
Background for this topic.
Fortinet is a cybersecurity vendor best known for FortiGate, a network firewall platform running FortiOS. FortiGate appliances, virtual machines, and cloud deployments provide traffic filtering, VPN access, intrusion prevention, and network segmentation; related products manage devices, collect security telemetry, or protect endpoints. FortiGuard Labs supplies threat intelligence and detection updates used across parts of this ecosystem.
Fortinet matters to security teams because its devices commonly sit at network boundaries and may expose administrative interfaces or SSL-VPN services to the internet. Vulnerabilities in FortiOS or supporting products can therefore create a path to authentication bypass, unauthorized access, or interception of remote connections when affected configurations are present. Practitioners should track Fortinet advisories, promptly apply firmware and signature updates, restrict management access, use multifactor authentication where supported, and monitor device logs and configuration changes. During an incident, preserve firewall and VPN telemetry and review connected systems rather than treating the appliance as an isolated asset.
Weekly headline count for the current query.
After gaining a foothold in thousands of Fortinet firewalls, the attackers are starting to monetize that access, and are also piling on a Nextcloud zero-day bug.
Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.
The authentication bypass flaw, tracked as CVE-2026-35616, is the latest in a series of Fortinet vulnerabilities that have been exploited in the wild.
CVE-2025-53521 was initially disclosed in October as a high-severity denial-of-service (DoS) flaw, but new information has revealed the bug is actually much more dangerous.
To stop the ongoing attacks, the cybersecurity vendor took the drastic step of temporarily disabling FortiCloud single sign-on (SSO) authentication for all devices.
Automated infections of potentially fully patched FortiGate devices are allowing threat actors to steal firewall configuration files.
CVE-2025-64155, a command injection vulnerability, was disclosed earlier this week and quickly came under attack from a variety of IP addresses.
Attackers targeted admin accounts, and once authenticated, exported device configurations including hashed credentials and other sensitive information.
A second zero-day vulnerability in its web application firewall (WAF) line has come under attack, raising more questions about the vendor's disclosure practices.
The vulnerability could allow an unauthenticated attacker to remotely execute administrative commands.
The company disclosed a critical FortiSIEM flaw with a PoC exploit for it the same week researchers warned of an ominous surge in malicious traffic targeting the vendor's SSL VPNs.
A threat actor posted about the zero-day exploit on the same day that Fortinet published a warning about known vulnerabilities under active exploitation.
CISA this week added CVE-2025-24472 to its catalog of known exploited vulnerabilities, citing ransomware activity targeting the authentication bypass flaw.
The Mora_001 group uses similar post-exploitation patterns and ransomware customization originated by LockBit.
The firewall specialist has patched the security flaw, which was responsible for a series of attacks reported earlier this month that compromised FortiOS and FortiProxy products exposed to the public Internet.
The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.
An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.
Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.
An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.
The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments.