Threat Advisory

Critical Security Flaws in Fortinet FortiOS/FortiProxy and GitHub

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Researchers have identified CVE-2025-24472 and CVE-2025-30066 as actively exploited vulnerabilities. CVE-2025-24472 is an authentication bypass flaw in Fortinet FortiOS and FortiProxy that allows remote attackers to gain super-admin privileges via crafted CSF proxy requests, and it has been actively exploited in ransomware attacks, including those linked to the SuperBlack ransomware group. CVE-2025-30066 affects the tj-actions/changed-files GitHub Action, where attackers modified the code to leak CI/CD secrets from workflow logs, posing a significant supply chain risk. Researchers urge organizations to patch these vulnerabilities promptly to mitigate active threats.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Researchers have identified CVE-2025-24472 and CVE-2025-30066 as actively exploited vulnerabilities. CVE-2025-24472 is an authentication bypass flaw in Fortinet FortiOS and FortiProxy that allows remote attackers to gain super-admin privileges via crafted CSF proxy requests, and it has been actively exploited in ransomware attacks, including those linked to the SuperBlack ransomware group. CVE-2025-30066 affects the tj-actions/changed-files GitHub Action, where attackers modified the code to leak CI/CD secrets from workflow logs, posing a significant supply chain risk. Researchers urge organizations to patch these vulnerabilities promptly to mitigate active threats.[emaillocker id="1283"]

  • CVE-2025-30066: It is a supply chain vulnerability affecting the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. Attackers modified the action’s code to leak CI/CD secrets from workflow logs, potentially exposing sensitive credentials if logs were publicly accessible. The exploit involved retroactively updating multiple version tags to reference a malicious commit, injecting a script that extracts secrets. This vulnerability has a CVSS score of 8.6, indicating a high severity risk for affected repositories.
  • CVE-2025-24472: It is an authentication bypass vulnerability in Fortinet FortiOS and FortiProxy that allows remote attackers to gain super-admin privileges via crafted CSF proxy requests. Threat actors have actively exploited this flaw in ransomware campaigns to create rogue admin users, modify firewall policies, and gain unauthorized access to internal networks. The vulnerability impacts multiple FortiOS and FortiProxy versions, enabling attackers to hijack Fortinet firewalls. This vulnerability has a CVSS score of 8.1, making it a critical security risk for affected systems.

Organizations should promptly address these vulnerabilities to prevent exploitation by threat actors.

RECOMMENDATION:

For CVE-2025-30066, We strongly recommend you update GitHub Action to versions v46.0.1.

For CVE-2025-24472, We strongly recommend you update FortiOS to versions 7.0.17 or later and FortiProxy to versions 7.0.20, 7.2.13, or later.

REFERENCES:

The following reports contain further technical details:
https://securityaffairs.com/175583/security/u-s-cisa-adds-fortinet-fortios-fortiproxy-and-github-action-flaws-to-its-known-exploited-vulnerabilities-catalog.html

[/emaillocker]
crossmenu