Pierluigi Paganini
March 19, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
In February, Fortinet warned that threat actors were exploiting a new zero-day vulnerability, tracked as CVE-2025-24472 (CVSS score of 8.1), in FortiOS and FortiProxy to hijack Fortinet firewalls.
The vulnerability is an authentication bypass issue that could allow a remote attacker to gain super-admin privileges by making maliciously crafted CSF proxy requests.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19 may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.” reads the advisory.
The vulnerability impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Fortinet fixed it in FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or above.
Fortinet added this vulnerability to an advisory related to the vulnerability CVE-2024-55591 disclosed in January. The flaw CVE-2024-55591 is an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The flaw could allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.” reads the advisory. “Please note that reports show this is being exploited in the wild.”
Threat actors exploit the flaws to create rogue admin or local users, modify firewall policies, and access SSL VPNs to gain access to internal networks.
Last week, researchers at Forescout Research – Vedere Labs reported that between January and March, threat actors exploited two Fortinet vulnerabilities to deploy the SuperBlack ransomware. The experts attribute the attacks to a threat actor named “Mora_001” which using Russian-language artifacts and exhibiting a unique operational signature. The experts speculate Mora_001 could be linked to the LockBit ecosystem, reflecting the growing complexity of ransomware operations.
Mora_001 used the leaked LockBit builder to create encryptor, tracked by Forescout as SuperBlack ransomware, and removed any LockBit’s branding.
However Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. It is interesting to note that the ransom note shares a TOX ID with LockBit, suggesting a potential affiliation. However, its structured playbook and unique operational patterns distinguish it as a separate entity capable of independent intrusions.
CISA confirmed that the flaw CVE-2025-24472 is known to be used in ransomware campaigns.
The second flaw added to the catalog is CVE-2025-30066. StepSecurity researchers reported that threat actors compromised the GitHub Action tj-actions/changed-files, allowing the leak of secrets from repositories using the continuous integration and continuous delivery CI/CD workflow.
The tj-actions/changed-files GitHub Action is used in over 23,000 repositories, it automates workflows by detecting file changes in commits or pull requests, aiding testing, and automation. The CVE-2025-30066 (CVSS score: 8.6) was assigned to this supply chain attack.
“The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised. In this attack, the attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action prints CI/CD secrets in GitHub Actions build logs. If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets.” states StepSecurity. “There is no evidence that the leaked secrets were exfiltrated to any remote network destination.”
StepSecurity discovered the supply chain attack on March 14, 2025, where attackers modified the tool to leak CI/CD secrets from workflow logs.
“StepSecurity Harden-Runner detected this issue through anomaly detection when an unexpected endpoint appeared in the network traffic. Based on our analysis, the incident started around 9:00 AM March 14th, 2025 Pacific Time (PT) / 4:00 PM March 14th, 2025 UTC.” continues StepSecurity. “Update March 14, 2025 11:00 PM UTC: Most versions of tj-actions/changed-files are compromised.”
On March 15, the company detected multiple public repositories that had leaked secrets in build logs, allowing anyone to steal these secrets.
The researchers noticed that compromised GitHub Action executes a malicious Python script that extracts CI/CD secrets from the Runner Worker process. Attackers retroactively altered multiple release tags to point to the same malicious commit, injecting an exploit that dumps memory and extracts sensitive data. The commit, falsely attributed to the renovate bot, downloads and executes a script from an external source, using memory forensics to locate and extract secrets.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
CISA orders federal agencies to fix this vulnerability by April 8, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
