Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
do son 
tj-actions supply chain attack
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. These vulnerabilities impact Fortinet FortiOS and FortiProxy, as well as the widely used tj-actions/changed-files GitHub Action.
Fortinet Vulnerabilities Under Attack
CISA recently flagged CVE-2025-24472, an authentication bypass vulnerability (CVSS score 8.1), affecting Fortinet’s FortiOS (versions 7.0.0 through 7.0.16) and FortiProxy (versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12). Attackers exploiting this flaw gain remote super-admin privileges through specially crafted CSF proxy requests. Initially thought inactive, Forescout researchers exposed active exploitation linked to a ransomware operator dubbed ‘Mora_001,’ deploying the custom-made SuperBlack ransomware since early February 2025.
Source: Forescout
This vulnerability joined CVE-2024-55591, another Fortinet flaw exploited as early as November 2024. Arctic Wolf confirmed both vulnerabilities have been leveraged in targeted attacks against FortiGate firewalls. Fortinet has since issued patches, urging administrators to update systems immediately to FortiOS 7.0.17 or above and FortiProxy 7.0.20/7.2.13 or newer to safeguard against further exploitation.
Supply Chain Attack on GitHub Action
Simultaneously, a widespread supply-chain attack targeted the widely-used GitHub Action ‘tj-actions/changed-files’ (tracked as CVE-2025-30066, CVSS score 8.6). Attackers injected malicious code into version tags, potentially exposing CI/CD secrets from workflow logs of over 23,000 repositories. StepSecurity first reported the incident after detecting suspicious activity on March 14, 2025.
The compromise involved attackers altering repository tags to point to a malicious commit that extracted CI/CD secrets directly into publicly accessible logs. Despite GitHub’s swift intervention—removing the compromised action and restoring the repository without the malicious code—the impact remains significant.
GitHub advises all affected users to rotate compromised secrets, review workflows for unexpected outputs, and switch to explicitly pinned commit hashes for enhanced security.
Urgent Recommendations
CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 8, 2025, in light of active exploitation. All organizations using the affected Fortinet products and the tj-actions/changed-files GitHub Action should take immediate action to mitigate these vulnerabilities and secure their systems.
