An attacker who exploits this flaw gains full administrative control of your organization's edge firewall or proxy appliance without needing a password — the device that controls what enters and exits your network. From that position, the Gentlemen group deploys ransomware, which can halt operations, lock critical systems, and trigger regulatory breach notification obligations if sensitive data is encrypted or exfiltrated. The combination of a public exploit, a 99th-percentile exploitation likelihood score, and active ransomware deployment means the window between exposure and incident is short — organizations with unpatched internet-facing FortiGate or FortiProxy devices should treat this as an active emergency, not a scheduled maintenance item.
You Are Affected If
You run Fortinet FortiOS versions 7.0.0 through 7.0.16 in production
You run Fortinet FortiProxy versions 7.0.0 through 7.0.19 or 7.2.0 through 7.2.12 in production
Your FortiGate or FortiProxy management interface is reachable from the internet or untrusted networks
You have not applied the patches specified in FortiGuard advisory FG-IR-24-535
Your Fortinet VPN endpoints permit authentication attempts without MFA or account lockout controls
Board Talking Points
Attackers are actively exploiting a publicly known flaw in our Fortinet firewall product to gain complete administrative control without a password — this is not theoretical risk.
IT security must apply the vendor-issued patch and restrict management interface access within 24 hours; this vulnerability is on the U.S. government's list of actively exploited flaws.
Organizations that do not patch face ransomware deployment that can shut down operations and trigger mandatory breach notification to regulators.
CISA KEV Binding Operational Directive 22-01 — CVE-2024-55591 was added to the CISA Known Exploited Vulnerabilities catalog in January 2025; U.S. federal civilian agencies have mandatory remediation obligations under BOD 22-01, and the KEV listing signals active exploitation relevant to any regulated entity's risk posture.
HIPAA Security Rule — FortiGate and FortiProxy appliances that protect networks carrying electronic protected health information (ePHI) are directly in scope; administrative control of these devices provides access to the network segments and data flows those appliances protect.
PCI-DSS — Fortinet edge devices protecting cardholder data environments are network security controls in scope for PCI-DSS; unauthenticated super-admin access to these devices represents a direct control failure under PCI-DSS Requirement 1 (network security controls) and Requirement 8 (authentication).
