New Cybersecurity Threats: CISA Adds Fortinet and GitHub Vulnerabilities to KEV Catalog

Listen to this Post

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which highlights critical security flaws actively being exploited by cybercriminals. The latest additions involve Fortinet’s FortiOS and FortiProxy, as well as a supply chain attack targeting GitHub Actions. These vulnerabilities pose significant threats to organizations globally, and it’s crucial to understand their implications for cybersecurity.

Fortinet Vulnerabilities: CVE-2025-24472 and CVE-2024-55591

In February, Fortinet issued a warning about a zero-day vulnerability identified as CVE-2025-24472, which affects FortiOS and FortiProxy systems. This vulnerability, with a CVSS score of 8.1, allows attackers to bypass authentication and gain super-admin privileges through specially crafted CSF proxy requests. This flaw impacts FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. Fortinet quickly released patches for this vulnerability, urging users to upgrade to FortiOS 7.0.17 or higher, and FortiProxy 7.0.20/7.2.13 or higher.

CVE-2024-55591, disclosed earlier, shares similarities with the CVE-2025-24472 flaw. It also allows remote attackers to gain super-admin privileges by exploiting an authentication bypass vulnerability. Reports indicate that this vulnerability has been actively exploited in the wild, allowing attackers to create rogue admin accounts, modify firewall policies, and access internal networks through SSL VPNs.

Ransomware Attack Linked to Fortinet Flaws

Researchers at Forescout Research (Vedere Labs) found that threat actors exploited these Fortinet vulnerabilities to deploy SuperBlack ransomware between January and March. The attacks have been attributed to the group “Mora_001,” which exhibits tactics closely resembling those used by LockBit ransomware affiliates. Mora_001 is believed to use the leaked LockBit builder to create SuperBlack ransomware, though it removes any LockBit branding. This suggests that Mora_001 operates as an independent threat actor while utilizing some LockBit techniques.

GitHub Supply Chain Attack: CVE-2025-30066

The second vulnerability added to the KEV catalog is CVE-2025-30066, which affects GitHub’s tj-actions/changed-files Action. This tool is widely used in over 23,000 repositories to automate workflows in continuous integration/continuous delivery (CI/CD) processes. The vulnerability stems from an attacker compromising the GitHub Action, allowing secrets to be leaked through publicly accessible build logs.

Researchers discovered that the attackers modified the Action’s code to retroactively alter version tags, pointing to a malicious commit. This commit runs a Python script designed to extract CI/CD secrets from the build logs. The incident was detected by StepSecurity researchers on March 14, 2025, and has since been confirmed to affect a significant number of public repositories.

What Undercode Says:

The addition of Fortinet and GitHub vulnerabilities to the KEV catalog highlights the ongoing and evolving threats in the cybersecurity landscape. Both of these vulnerabilities have been actively exploited in the wild, underlining the importance of patching and proactive monitoring.

Fortinet’s vulnerabilities are particularly concerning because they allow attackers to gain super-admin privileges remotely, making it easier for threat actors to modify critical network configurations, deploy ransomware, or exfiltrate sensitive data. The link between these flaws and ransomware operations like SuperBlack only highlights the growing complexity of modern cyberattacks, where threat actors are continuously refining their techniques and tools.

For organizations using Fortinet products,

On the GitHub side, the supply chain attack is a stark reminder of the vulnerabilities that can arise in commonly used open-source tools. The exposure of CI/CD secrets could have far-reaching consequences, especially for organizations with public-facing repositories. Developers must be vigilant about the security of the third-party tools they incorporate into their workflows and consider using more secure options for handling sensitive data.

The fact that both vulnerabilities involve authentication bypass and secret leakage reinforces a critical point for cybersecurity professionals: unauthorized access to systems and data remains one of the most potent threats today. Attackers continue to exploit flaws in authentication mechanisms and gain access to sensitive assets, often leading to widespread damage.

Fact Checker Results

  • CVE-2025-24472 has been confirmed as an actively exploited vulnerability, allowing attackers to gain unauthorized super-admin access to FortiOS and FortiProxy.
  • CVE-2025-30066 is also confirmed to be actively exploited, with attackers compromising a GitHub Action to leak CI/CD secrets.
  • Both vulnerabilities pose a significant risk to the security of organizations using affected systems and workflows.

References:

Reported By: https://securityaffairs.com/175583/security/u-s-cisa-adds-fortinet-fortios-fortiproxy-and-github-action-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image