In July 2025, Fortinet’s FortiClientEMS (versions 7.2.0–7.2.2 and 7.0.1–7.0.10) was exploited by the Qilin ransomware group via **CVE-2023-48788**, a critical SQL injection vulnerability. The flaw allowed attackers to execute arbitrary SQL commands through crafted HTTP requests, enabling unauthorized data access, encryption, and potential exfiltration. Qilin’s targeted exploitation of this vulnerability contributed to their dominance in the ransomware landscape, with 73 confirmed victims in July alone. Affected organizations—primarily in high-value sectors like **government, law enforcement, energy, and telecommunications**—faced operational disruptions, financial losses, and reputational damage. The attack vector’s persistence underscores systemic risks tied to unpatched enterprise systems, with Qilin leveraging the vulnerability to maximize both ransomware deployment and data leak extortion. Critical infrastructure entities were disproportionately impacted, amplifying the threat’s severity due to cascading effects on supply chains and public services.
Source: https://cybersecuritynews.com/qilin-ransomware-leads-the-attack-landscape/
TPRM report: https://www.rankiteo.com/company/fortinet
"id": "for753081525",
"linkid": "fortinet",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Public Sector',
'Critical Infrastructure',
'Energy',
'Telecommunications',
'Technology (Software)'],
'location': [{'country': 'United States',
'victim_count': 223},
{'country': 'Canada', 'victim_count': 28},
{'country': 'Other (Global)',
'victim_count': 172}],
'type': ['Government Agencies',
'Law Enforcement',
'Energy/Utilities Providers',
'Telecommunications Companies',
'Software Providers (Supply Chain)']}],
'attack_vector': ['Exploitation of Known Vulnerabilities (CVE-2023-48788, '
'CVE-2019-18935, CVE-2025-5777, etc.)',
'SQL Injection (Fortinet FortiClientEMS)',
'Deserialization Attack (Progress Telerik UI)',
'Out-of-Bounds Read (Citrix NetScaler)',
'Ransomware-as-a-Service (RaaS) Operations',
'Supply Chain Attacks via Compromised Software Providers'],
'data_breach': {'data_encryption': 'Confirmed (ransomware encryption)',
'data_exfiltration': "Likely (based on Qilin's "
'double-extortion tactics)',
'personally_identifiable_information': 'Possible (not '
'explicitly detailed)',
'sensitivity_of_data': 'High (critical infrastructure and '
'proprietary software)',
'type_of_data_compromised': ['Sensitive Government/Law '
'Enforcement Data',
'Energy/Utilities Operational '
'Data',
'Telecommunications '
'Customer/Network Data',
'Supply Chain Software Source '
'Code/Propietary Data']},
'date_detected': '2025-07-01',
'date_publicly_disclosed': '2025-08-01',
'description': 'The Qilin ransomware group maintained its dominant position '
'in July 2025, claiming 73 victims (17.3% of 423 total '
'ransomware incidents). The group systematically exploited '
'seven critical vulnerabilities, including CVE-2023-48788 '
'(Fortinet FortiClientEMS SQL injection), CVE-2019-18935 '
'(Telerik UI deserialization), and CVE-2025-5777 (Citrix '
'NetScaler out-of-bounds read). Targets included U.S. critical '
'infrastructure (government, energy, telecom) and supply chain '
'entities via compromised software providers. The U.S. '
'accounted for 223 victims, with Qilin outpacing competitors '
'like INC Ransom (59 victims).',
'impact': {'brand_reputation_impact': 'High (public disclosure of 73 victims)',
'data_compromised': 'High (critical infrastructure and supply '
'chain data)',
'identity_theft_risk': 'Likely (given data exfiltration patterns)',
'operational_impact': 'Severe (critical infrastructure disruption, '
'supply chain risks)',
'payment_information_risk': 'Possible (depends on compromised '
'systems)',
'systems_affected': ['Fortinet FortiClientEMS',
'Progress Telerik UI for ASP.NET AJAX',
'Citrix NetScaler ADC/Gateway',
'Microsoft SharePoint',
'Government/Law Enforcement Systems',
'Energy/Utilities Infrastructure',
'Telecommunications Networks',
'Application Software Providers (Supply '
'Chain)']},
'initial_access_broker': {'data_sold_on_dark_web': "Likely (based on Qilin's "
'leak site activity)',
'entry_point': ['Exploited Vulnerabilities (e.g., '
'Fortinet, Telerik, Citrix, '
'SharePoint)',
'Compromised Software Providers '
'(Supply Chain)'],
'high_value_targets': ['U.S. Critical '
'Infrastructure',
'Government/Law Enforcement',
'Energy/Utilities',
'Telecommunications']},
'investigation_status': 'Ongoing (as of August 2025)',
'lessons_learned': ['Critical importance of **proactive patch management** '
'for internet-facing systems.',
'Need for **robust network segmentation** to limit '
'lateral movement.',
'Rising threat of **supply chain compromises** via '
'software providers.',
'Persistent targeting of **critical infrastructure** by '
'sophisticated RaaS groups.',
'Exploitation of **known vulnerabilities** remains a '
'primary attack vector.'],
'motivation': ['Financial Gain',
'Operational Disruption',
'Data Exfiltration for Extortion'],
'post_incident_analysis': {'corrective_actions': ['Mandatory patching '
'timelines for critical '
'CVEs.',
'Zero-trust architecture '
'implementation.',
'Supply chain security '
'frameworks (e.g., NIST '
'SSDF).',
'Enhanced threat '
'intelligence sharing for '
'RaaS groups.'],
'root_causes': ['Unpatched Critical '
'Vulnerabilities in Enterprise '
'Software',
'Inadequate Network Segmentation '
'Allowing Lateral Movement',
'Supply Chain Security Gaps in '
'Software Providers',
'Persistent Targeting by '
'Sophisticated RaaS Groups']},
'ransomware': {'data_encryption': 'Confirmed',
'data_exfiltration': 'Likely (double-extortion model)',
'ransomware_strain': 'Qilin'},
'recommendations': ['Immediate patching of **CVE-2023-48788 (Fortinet)**, '
'**CVE-2019-18935 (Telerik)**, and **CVE-2025-5777 '
'(Citrix)**.',
'Enhanced monitoring for **Microsoft SharePoint '
'vulnerabilities (CVE-2025-53770/71, '
'CVE-2025-49704/06)**.',
'Implementation of **network segmentation** to isolate '
'critical systems.',
'Regular **vulnerability assessments** and penetration '
'testing for internet-facing applications.',
'Supply chain risk management, including **third-party '
'software provider audits**.',
'Deployment of **adaptive behavioral WAFs** to detect '
'exploitation attempts.',
'Preparation for **ransomware response**, including '
'offline backups and incident playbooks.'],
'references': [{'date_accessed': '2025-08-01', 'source': 'Cyble Research'}],
'response': {'enhanced_monitoring': 'Recommended for early detection',
'network_segmentation': 'Recommended to limit blast radius',
'remediation_measures': ['Proactive Patch Management '
'(Recommended)',
'Vulnerability Remediation Programs '
'(Recommended)',
'Securing Internet-Facing Applications '
'(Recommended)',
'Robust Network Segmentation '
'(Recommended)']},
'threat_actor': {'attribution': {'confidence': 'High',
'source': 'Cyble Research'},
'historical_activity': 'Dominant for 3 of the last 4 months '
'(as of July 2025)',
'name': 'Qilin Ransomware Group',
'tactics': ['Persistent Targeting of High-Value Western '
'Entities',
'Exploitation of Critical Infrastructure',
'Supply Chain Compromise via Software Providers',
'Systematic Vulnerability Weaponization'],
'type': 'Ransomware-as-a-Service (RaaS) Operator'},
'title': 'Qilin Ransomware Group Dominates July 2025 with 73 Victims, '
'Exploiting Critical Enterprise Vulnerabilities',
'type': ['Ransomware Attack',
'Data Breach',
'Critical Infrastructure Targeting',
'Supply Chain Compromise'],
'vulnerability_exploited': [{'cve_id': 'CVE-2023-48788',
'description': 'SQL injection in Fortinet '
'FortiClientEMS (versions '
'7.2.0–7.2.2, 7.0.1–7.0.10)',
'exploitability': 'High (arbitrary SQL command '
'execution via crafted HTTP '
'requests)'},
{'cve_id': 'CVE-2019-18935',
'description': 'Deserialization vulnerability in '
'Progress Telerik UI for ASP.NET '
'AJAX',
'exploitability': 'High'},
{'cve_id': 'CVE-2025-5777',
'description': 'Out-of-bounds read in Citrix '
'NetScaler ADC and Gateway',
'exploitability': 'High'},
{'cve_id': 'CVE-2025-53770',
'description': 'Microsoft SharePoint '
'vulnerability (details '
'undisclosed)'},
{'cve_id': 'CVE-2025-53771',
'description': 'Microsoft SharePoint '
'vulnerability (details '
'undisclosed)'},
{'cve_id': 'CVE-2025-49704',
'description': 'Microsoft SharePoint '
'vulnerability (details '
'undisclosed)'},
{'cve_id': 'CVE-2025-49706',
'description': 'Microsoft SharePoint '
'vulnerability (details '
'undisclosed)'}]}