Listen to this Post
The cybersecurity landscape has witnessed yet another alarming vulnerability, as the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that a critical flaw in Fortinet products is being actively exploited in ransomware campaigns. The vulnerability, tracked as CVE-2025-24472, has opened doors for cybercriminals to launch sophisticated attacks, putting thousands of organizations at risk. This article dives into the details of the ongoing exploitation, the vulnerabilities involved, and the implications for users of Fortinet products and GitHub Actions. Additionally, we’ll analyze the trends emerging from these cybersecurity threats and what steps can be taken to mitigate the risks.
the Issue
A severe vulnerability, CVE-2025-24472, affecting Fortinet products, has been confirmed by CISA to be exploited in a ransomware campaign. This vulnerability stems from an authentication bypass that affects both FortiOS and FortiProxy versions ranging from 7.0.0 to 7.0.16 and 7.2.0 to 7.2.12. The flaw allows remote attackers to gain super-admin privileges by sending specially crafted CSF proxy requests, putting sensitive systems at risk of compromise.
Fortinet disclosed the vulnerability in mid-January 2025, assigning it a high severity rating of 8.1 on the CVSS scale, indicating the potential for widespread damage. A patch was made available for affected systems, including versions 7.0.17, 7.2.13, and 7.0.20, with users urged to update to secure versions.
On March 12, Forescout reported that a ransomware group named Mora_00, which has ties to LockBit, was exploiting CVE-2025-24472 as part of its attack strategy. Mora_00 is deploying a new ransomware strain called ‘SuperBlack,’ alongside another Fortinet vulnerability, CVE-2024-55591, for maximum impact. CISA confirmed these findings on March 18, officially adding CVE-2025-24472 to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2024-55591 had already been included in January.
Furthermore, CISA added another vulnerability, CVE-2025-30066, to the KEV catalog. This vulnerability affects tj-actions/changed-files, a popular GitHub Action used by over 23,000 organizations in continuous integration and delivery (CI/CD) processes. The flaw, which was introduced through a malicious commit in the code repository, exposed sensitive CI/CD secrets to attackers. All versions of the tj-actions/changed-files were impacted, with a CVSS base score of 8.6. GitHub has since patched the issue, but organizations using older versions should verify their installations to ensure they are secure.
What Undercode Say: An Analysis of the Growing Threat
The rise in targeted ransomware attacks and the exploitation of critical vulnerabilities in widely-used software systems, such as Fortinet products and GitHub Actions, underscores a disturbing trend in cybersecurity: the increasing sophistication of cyberattacks. With ransomware groups, including the notorious Mora_00 and LockBit, adapting and leveraging existing vulnerabilities in their campaigns, the threat landscape has become more complex.
The fact that CVE-2025-24472 has been actively exploited by a ransomware group demonstrates how quickly vulnerabilities can go from being a theoretical risk to a real-world exploitation tool. The use of multiple vulnerabilities in tandem, like CVE-2025-24472 and CVE-2024-55591, also indicates the heightened coordination and strategy being employed by these threat actors. By exploiting multiple weaknesses in a product ecosystem, attackers are able to maximize their chances of success and cause far-reaching damage.
This development also highlights a fundamental issue with the cybersecurity landscape: many organizations are still running outdated or unpatched software versions. Despite the high severity rating of these vulnerabilities, many systems remain unprotected, leaving them exposed to exploitation. In fact, the discovery of exploits for Fortinet’s products is just the tip of the iceberg. Cybercriminals are becoming adept at finding ways to bypass security measures, utilizing even small gaps in the system to execute their attacks.
On the GitHub Actions front, the vulnerability in tj-actions/changed-files further demonstrates how integral open-source components are to modern software development. However, these components can also become attack vectors when not properly managed. Organizations relying on CI/CD platforms must be aware of the risks associated with third-party tools and ensure they are continuously updating and securing their supply chain, as demonstrated by the GitHub Action flaw. The fact that over 23,000 organizations were potentially affected emphasizes how pervasive this issue is in the developer community.
What’s concerning is the increasing interconnectedness of different platforms and services that are now being targeted. A vulnerability in a single tool or platform can have cascading effects on the entire ecosystem. For example, an attacker exploiting Fortinet vulnerabilities may also find ways to infiltrate an organization’s GitHub Actions environment, further escalating the risk of widespread disruption.
To mitigate these threats, organizations must prioritize patch management. Ensuring that all systems are updated with the latest security patches is the most effective line of defense. Additionally, implementing robust monitoring and detection systems will help to identify and respond to suspicious activities before they lead to catastrophic breaches. Regularly auditing and verifying the security of open-source tools and components is also a key step toward maintaining a secure development environment.
Fact Checker Results
- The vulnerabilities in Fortinet products and GitHub Actions are real and verified by cybersecurity authorities such as CISA and Forescout.
- Exploited vulnerabilities in Fortinet products, including CVE-2025-24472, have been tied to active ransomware campaigns.
- GitHub Actions’ vulnerability (CVE-2025-30066) affected over 23,000 organizations before being patched by GitHub.
References:
Reported By: https://www.infosecurity-magazine.com/news/fortinet-vulnerability-ransomware/
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
