FortiGate linked to 332 ransomware victims

Decryption Digest said on May 19 that attackers were using FortiGate appliances as an initial access point to deploy the Gentlemen ransomware, according to a post and linked advisory. The group said it identified 332 victims over five months and tied the activity to CVE-2024-55591, a FortiGate flaw it said should be patched immediately. The advisory also called on administrators to disable exposed management interfaces. Fortinet and public CVE listings separately publish CVE-2024-55591 as a tracked vulnerability. ### What exactly did the advisory say attackers were doing? Decryption Digest said the intrusion pattern began with access through FortiGate appliances and ended with deployment of the Gentlemen ransomware. The post described FortiGate as the initial access vector and said the ransomware operators were active online as of May 19. The 332-victim figure was presented as activity identified over a five-month period. (fortiguard.com) Decryption Digest’s recommendation was operational rather than forensic: patch CVE-2024-55591 immediately and turn off management interfaces exposed to the internet. ### What is CVE-2024-55591, and why is it central here? CVE-2024-55591 is a published FortiGate vulnerability tracked in public records and Fortinet security material. Those records establish the flaw as a real, named issue affecting Fortinet gear, which is why Decryption Digest anchored its warning to that identifier rather than to a generic “FortiGate exploit.” (bleepingcomputer.com) Fortinet’s PSIRT page and the CVE record do not by themselves confirm Decryption Digest’s 332-victim count. (fortiguard.com) They do, however, support the narrower factual point that CVE-2024-55591 exists, is assigned to FortiGate-related software, and is the patch target cited in the warning. ### Why would exposed management interfaces matter in a ransomware case? Internet-facing administration panels are a recurring concern because they can give attackers a direct path to privileged control if a flaw or weak credential is present. (fortiguard.com) Decryption Digest’s call to disable exposed management interfaces indicates it viewed remote administrative exposure as part of the attack path, not just a general hardening step. BleepingComputer previously reported on Fortinet warnings around exploited FortiGate vulnerabilities, underscoring that edge security devices remain a frequent focus in intrusion activity. That reporting does not verify the Gentlemen count, but it aligns with the broader pattern of FortiGate devices being used as an entry point in real-world attacks. ### What can be confirmed now, and what remains unverified? (bleepingcomputer.com) The May 19 date, the 332-victim claim, the Gentlemen ransomware name, and the recommendation to patch CVE-2024-55591 come from Decryption Digest’s own warning as described in the source briefings. Public Fortinet and CVE sources confirm the vulnerability identifier, but they do not independently reproduce the victim total in the material reviewed here. The result is a narrow, source-backed picture: a cyber threat intelligence outlet said it saw a five-month victim cluster tied to FortiGate access and Gentlemen ransomware, and the vendor-linked remediation path points to patching CVE-2024-55591 and reducing administrative exposure. (bleepingcomputer.com) ### What should affected organizations look for next? Fortinet customers should compare appliance versions against Fortinet’s PSIRT guidance for CVE-2024-55591 and remove any internet-exposed management access where it is not required. (fortiguard.com) Security teams would also typically review administrator logins, new local accounts, configuration changes and signs of post-access ransomware activity after patching, though those steps are a standard defensive inference rather than a quoted instruction from Decryption Digest. Fortinet’s security advisories page and the CVE record remain the named public sources for version guidance and vulnerability tracking, while Decryption Digest’s May 19 post is the named source for the 332-victim claim and the Gentlemen attribution. (fortiguard.com)