Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two major vulnerabilities to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation. These vulnerabilities, CVE-2025-24472 and CVE-2025-30066, pose cybersecurity risks to both federal agencies and private-sector organizations.

Exploited by malicious actors, these vulnerabilities could lead to unauthorized access, data breaches, and the execution of malicious code, underscoring the urgency of applying proper mitigations.

CVE-2025-24472: Authentication Bypass Vulnerability in Fortinet FortiOS and FortiProxy

On February 11, 2025, CISA added CVE-2025-24472 to its catalog, which involves an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy products. This vulnerability, identified in versions 7.0.0 through 7.0.16 and 7.2.0 through 7.2.12 of FortiOS and FortiProxy, allows remote attackers to bypass authentication protocols and gain unauthorized super-admin privileges. The flaw stems from the ability of attackers to exploit crafted CSF (Content Security Filter) proxy requests to gain unauthorized access to affected systems.

The CVE-2025-24472 vulnerability carries a CVSS score of 8.1, indicating its high severity. The affected versions of FortiOS and FortiProxy are crucial for organizations relying on these systems for network security. An attacker exploiting this vulnerability could execute unauthorized commands, which might result in data manipulation, unauthorized access to confidential information, and full control over the system.

According to the official release, the flaw is particularly dangerous as it allows attackers to escalate their privileges without requiring initial access or authentication. This makes the vulnerability a prime target for remote cyberattacks. Fortinet has addressed this issue in its latest updates and strongly recommends that users of affected versions immediately upgrade to patched releases to mitigate the risk of exploitation.

CVE-2025-30066: Malicious Code Vulnerability in GitHub Action tj-actions/changed-files

The second vulnerability added to CISA’s catalog, CVE-2025-30066, involves the tj-actions/changed-files GitHub Action, a tool that tracks file changes in pull requests or commits. This vulnerability, discovered on March 15, 2025, allowed attackers to inject malicious code into the GitHub Action, enabling them to steal sensitive secrets, such as API keys, private RSA keys, and GitHub Personal Access Tokens (PATs), among other credentials.

The vulnerability exists in versions prior to v46.0.1 of the tj-actions/changed-files GitHub Action. Malicious actors exploited this flaw by modifying the action to point to a compromised commit containing embedded malicious code. This attack resulted in unauthorized access to private data stored in the GitHub action logs, thereby exposing organizations to a range of security threats, including unauthorized system access and further supply chain attacks.

CVE-2025-30066 carries a CVSS score of 8.6, which places it in the high-severity category. The compromised action, which is widely used in open-source software development, was exploited in several critical incidents. One of the most interesting aspects of this vulnerability is that it was a supply chain attack, meaning the malicious code was introduced through a third-party software component.

Following the discovery, GitHub quickly released an updated version of the tj-actions/changed-files action (v46.0.1) to resolve the vulnerability and patch the malicious code. CISA strongly advises users to update to this latest version immediately and to follow best practices for securing their GitHub workflows.

Risks Associated With CVE-2025-24472 and CVE-2025-30066

Both of these vulnerabilities represent security threats due to their ability to bypass authentication controls and inject malicious code. CVE-2025-24472, the authentication bypass vulnerability in Fortinet products, allows attackers to gain super-admin privileges remotely. This kind of unauthorized access can lead to full control over critical infrastructure, expose sensitive data, and allow attackers to alter or destroy information.

Meanwhile, CVE-2025-30066, the malicious code vulnerability in a widely-used GitHub Action, exemplifies the risk of supply chain attacks. By compromising a popular tool used in software development, attackers could inject code that granted them access to sensitive credentials across numerous projects, potentially affecting organizations relying on those keys to maintain secure systems.

Both vulnerabilities emphasize the critical need for continuous vigilance and patch management in organizations. Exploiting these flaws allows cybercriminals to establish footholds in target systems, steal valuable data, and potentially cause lasting damage to both private and public sector entities.

Conclusion

To mitigate the risks of CVE-2025-24472 and CVE-2025-30066, organizations should quickly update to the latest patched versions—FortiOS 7.0.17 or later, FortiProxy 7.2.13 or later, and tj-actions/changed-files 46.0.1 or later. Administrators must also secure network configurations and carefully vet third-party GitHub actions.

CISA recommends monitoring system logs, rotating exposed credentials, and applying strong access control measures. The inclusion of these vulnerabilities in the Known Exploited Vulnerabilities Catalog highlights the urgency of addressing cyber threats.

Cyble provides AI-powered threat intelligence to help organizations stay protected of cyber threats and strengthen their defenses against cyberattacks, minimizing exposure and ensuring security.

References

• https://www.cisa.gov/news-events/alerts/2025/03/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
• https://www.cve.org/CVERecord?id=CVE-2025-24472
• https://nvd.nist.gov/vuln/detail/CVE-2025-30066
• https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.