A new ransomware operator named ‘Mora_001’ is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack.

The two vulnerabilities, both authentication bypasses, are CVE-2024–55591 and CVE-2025–24472, which Fortinet disclosed in January and February, respectively.

When Fortinet first disclosed CVE-2024–55591 on January 14, they confirmed it had been exploited as a zero-day, with Arctic Wolf stating it had been used in attacks since November 2024 to breach FortiGate firewalls.