CISA Flags Actively Exploited Flaws in AMI, D-Link, and Fortinet Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These include severe flaws in AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS, The Hacker News reports.

The most critical is CVE-2024-54085, a remote authentication bypass in AMI MegaRAC’s Redfish Host Interface, carrying a CVSS score of 10.0. This flaw could allow attackers to gain full control, deploy malware, and tamper with firmware. Although it's being exploited, details on the scope or actors remain unknown.

The second flaw, CVE-2024-0769, is a path traversal vulnerability in D-Link DIR-859 routers (CVSS 5.3), enabling privilege escalation and unauthorized device control. It was first flagged a year ago during a campaign to extract user credentials. These routers reached end-of-life in December 2020 and will not receive patches, prompting advisories for users to decommission the devices.

Lastly, CVE-2019-6693 affects Fortinet FortiOS, FortiManager, and FortiAnalyzer. It involves hard-coded cryptographic keys used to encrypt password data in CLI configurations. This vulnerability, with a CVSS of 4.2, has reportedly been used by actors linked to the Akira ransomware group to gain initial access to networks.

In response to these active threats, all Federal Civilian Executive Branch (FCEB) agencies must implement mitigation measures by July 16, 2025, to secure their systems.

Takeaway: Ransomware crews aren’t breaking in through some secret backdoor—most of the time, they’re walking right through the front door that’s been left wide open. The latest KEV additions from CISA are just more proof that threat actors are feasting on well-documented, patchable vulnerabilities that too many orgs are still leaving unaddressed.

This isn’t about some zero-day magic or next-gen malware wizardry. This is about incomplete asset management and tardy patching regimens. When D-Link routers hit end-of-life and no one retires them, or Fortinet appliances are still using hard-coded crypto keys from five years ago, you’re setting yourself up as a target.  

And the ransomware operators? They’ve figured out that they don’t need to burn new exploits when the targets keep presenting them unpatched systems and vulnerable edge devices on a silver platter.

There’s a painful truth here that security teams and execs need to internalize. That defense is largely about the basics: know what’s on your network, know what it’s running, and keep it up to date.  

The game has changed. Asset management is threat detection. Patch management is intrusion prevention. If you can’t see it, you can’t secure it. And if you don’t patch it, they will exploit it. The time-to-exploit window is collapsing.  

Threat actors aren’t waiting months—they’re in within days, sometimes hours, of a CVE going public. That’s the new battlefield, and we’re losing too many fights over stuff we already knew how to fix.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.