U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the growing threat landscape for organizations worldwide. The first vulnerability, CVE-2025-24472, affects Fortinet's FortiOS and FortiProxy software, while the second, CVE-2025-30066, is a supply chain attack on GitHub Action.
Fortinet Vulnerability: Authentication Bypass
In February, Fortinet warned that threat actors were exploiting a new zero-day vulnerability in FortiOS and FortiProxy to hijack firewalls. The vulnerability, tracked as CVE-2025-24472 (CVSS score of 8.1), is an authentication bypass issue that could allow a remote attacker to gain super-admin privileges by making maliciously crafted CSF proxy requests.
An advisory released by Fortinet notes that the vulnerability affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19. Fortinet fixed the issue in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above.
Threat actors are exploiting this vulnerability to create rogue admin or local users, modify firewall policies, and access SSL VPNs to gain access to internal networks. In January, researchers at Forescout Research – Vedere Labs reported that threat actors exploited two Fortinet vulnerabilities to deploy the SuperBlack ransomware.
GitHub Action Flaw: Supply Chain Attack
The second flaw added to the catalog is CVE-2025-30066, a supply chain attack on GitHub Action's tj-actions/changed-files. StepSecurity researchers reported that threat actors compromised the GitHub Action, allowing them to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow.
The tj-actions/changed-files GitHub Action is used in over 23,000 repositories, automating workflows by detecting file changes in commits or pull requests, aiding testing, and automation. The CVE-2025-30066 (CVSS score: 8.6) was assigned to this supply chain attack.
Attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit. This allowed them to print CI/CD secrets in GitHub Actions build logs, potentially exposing sensitive information to anyone who could access these logs.
According to StepSecurity, there is no evidence that the leaked secrets were exfiltrated to any remote network destination. The researchers detected the issue on March 14, 2025, when they noticed an unexpected endpoint appeared in network traffic.
What You Can Do
To protect your networks against these newly identified vulnerabilities, organizations are advised to review the KEV catalog and address the vulnerabilities in their infrastructure as soon as possible. The Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires federal agencies to fix this vulnerability by April 8, 2025.
Experts also recommend private organizations take proactive steps to secure their networks and address these vulnerabilities. Follow @securityaffairs on Twitter, Facebook, and Mastodon for the latest updates on cybersecurity threats and vulnerabilities.