The Gentlemen Ransomware Hits 478 Victims in Months: In Through FortiGate Auth Bypass CVE-2024-55591, and It Spreads Like a Worm

The Gentlemen, a ransomware crew less than a year old yet scaling at record pace, is aiming squarely at corporate network edges. Security research identifies its main door as CVE-2024-55591 — a FortiOS/FortiProxy authentication bypass rated CVSS 9.8, where one unauthenticated request bypasses login and grabs admin. The shock in one line: your firewall is becoming the attacker's front door.

Technically the flaw lives in FortiOS's internet-facing management interface (a Node.js websocket component) — a textbook unauthenticated privilege escalation into full takeover. The chain: scan the public internet for exposed FortiGate management ports → use CVE-2024-55591 to bypass auth and create a super-admin → pivot from the edge into the internal network → drop a Go-written, Garble-obfuscated encryptor. The nastiest design is the --spread flag: enable it and the malware turns from a single-host encryptor into a worm that replicates to every reachable machine. Beyond the CVE, the group brute-forces roughly 1,000 Fortinet VPN instances, often with weak credentials like gentlemen25 and Gentlemen25.

The scope is staggering: The Gentlemen claim at least 478 victims across 66 countries and 20-plus sectors, and in April 2026 alone accounted for about 10% of global ransomware activity; worse, the group holds a stockpile of roughly 14,700 already-compromised FortiGate devices — ammunition it can fire at will. Only about 13% of victims are in the U.S.; the bulk sit in Thailand, the U.K., Brazil, Germany and India. This is a global, indiscriminate hunter with a special appetite for poorly secured edge devices.

Why act within 24 hours: the patch has long existed, but patched does not mean clean. Below: the vulnerability class and attack path, a patch-vs-mitigation table, IOCs you can match now, and concrete advice for PHP/Laravel/Nginx/Linux environments.

Technical details: vulnerability class + attack path

Class: unauthenticated authentication bypass leading to privilege escalation and RCE-level takeover — network vector, no interaction, no existing account. Affected is the internet-exposed FortiOS/FortiProxy management interface (affected versions in the official FortiGuard PSIRT FG-IR-24-535, covering FortiOS 7.0.0–7.0.16 and more). Four-step path: a crafted request to the exposed management port → auth bypass and creation of a malicious super-admin → lateral movement using the edge as a foothold → drop the Go encryptor (optionally worm-ized with --spread). Education, manufacturing and professional services are high-risk because they routinely put device management interfaces straight on the public internet.

Immediate actions for three audiences

• Sysadmins: compare FortiOS versions and apply the official fix now; pull every edge device's management interface (HTTP/HTTPS/SSH) off the public internet behind VPN or IP allow-list; hunt login and config-change logs for rogue super-admins and foreign-origin sessions.
• Developers: even without Fortinet, the principle holds — admin panels, ERP, phpMyAdmin should not face the open internet. Minimal Nginx defense:

# Admin/backend paths: office and VPN ranges only
location /admin/ {
    allow 203.0.113.0/24;   # office
    allow 10.8.0.0/16;      # vpn
    deny  all;
}

• Agencies / consultants: send clients a notice whose title asks: do you have any admin panel or firewall interface directly facing the internet? Attach a free attack-surface checklist. The lesson applies to every custom-system client.

Patch vs. mitigation

IOCs and threat intel

• Credential strings used in VPN/management brute force: gentlemen25, Gentlemen25
• Go-written, Garble-obfuscated encryptor binaries; worm behavior when the command line includes --spread
• Unexpected super-admin accounts on FortiGate management ports, or anomalous logins from Thailand/U.K./Brazil and similar
• Group background: a former affiliate of RaaS such as LockBit, Qilin and Medusa, running multi-channel extortion (ransomware + email + phone); also tracking CVE-2025-32433 and CVE-2025-33073
• Full intel: The Hacker News and the Halcyon threat assessment

What nobody tells you

• This is not a new flaw — it is an old flaw industrialized by a new crew. The CVE-2024-55591 patch existed long ago; victims are all the organizations that dragged out the patch window. The real problem is not the vulnerability but patch cadence and asset inventory, which is harder than any zero-day.
• 14,700 stockpiled devices means the worst case already happened: many organizations are fine today only because the attacker has not gotten to them yet. Treating present quiet as safety is exactly the misjudgment these backdoors love.

The bigger trend

Ransomware is going edge-first and automated: attackers no longer bother phishing — they scan public edge devices, bulk-enter via known auth-bypass flaws, then use worm-ized encryptors to cut labor. For SMBs this means patch speed and not exposing the management plane now outrank which antivirus you buy as the top security metric.

FAQ

We run Fortinet firewalls — how do we quickly tell if we are hit?

Do three things now: check whether your FortiOS version is in the affected list (FortiOS 7.0.0–7.0.16 etc.) and unpatched; review admin-login logs for foreign-origin sessions or accounts using strings like gentlemen25/Gentlemen25; and see whether management ports (HTTP/HTTPS/SSH) face the public internet. Any hit triggers incident response.

We are not on Fortinet — does this concern us?

Yes. The core lesson is not a brand but the combination edge device + unpatched auth bypass + management interface on the public internet. Cisco, Check Point and Ivanti have all had same-class flaws recently. Pulling any edge device's admin interface behind VPN or an IP allow-list is the action to take away.

The patch is out — are we safe once we apply it?

Patching is necessary but not sufficient. The Gentlemen hold a stockpile of roughly 14,700 already-compromised FortiGate devices, meaning backdoors planted during the window do not vanish because you upgraded today. After patching you must hunt for compromise (login logs, config changes, rogue accounts) and rotate all credentials.

An SMB with no security team — what is the lowest-cost defense?

Three steps: never expose edge-device management to the public internet (VPN/allow-list only), enable and retain login and config-change audit logs, and move all VPN/admin accounts to strong passwords with two-factor. None require new tools, yet they block most of this attack chain's entry points.

My take

The mainstream will say patch Fortinet fast, deploy EDR fast. My read cuts against the wind: for most SMBs this incident declares the end of the self-managed edge-device era. When a crew half a year old can stockpile 14,700 backdoors and sweep 66 countries using a flaw that was patchable a year ago, the question is no longer whether you patch fast enough but whether you should be running an internet-exposed firewall management interface yourself at all. Converging the edge to zero management-plane exposure plus managed monitoring is more pragmatic than chasing patches. The ScriptWalker client-care opportunity: turn attack-surface review into a quarterly service — scan every external entry point per client (web admin, phpMyAdmin, firewall/VPN management plane, SSH) and deliver an exposure list and a reduction plan. This Gentlemen campaign is the perfect opening case study.

Sources

• NVD — CVE-2024-55591 (first-party)
• Fortinet FortiGuard PSIRT — FG-IR-24-535 (first-party)
• CISA — Known Exploited Vulnerabilities Catalog (first-party)
• The Hacker News — The Gentlemen Ransomware Claims 478 Victims (third-party)
• Halcyon — Threat Assessment: The Gentlemen Ransomware Group (third-party)