Security

Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns

20.03.2025
0 28 1 minute read

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a critical vulnerability in Fortinet products is being actively exploited in a ransomware campaign.

The vulnerability, CVE-2025-24472, is an authentication bypass using an alternate path that affects FortiOS from version 7.0.0 to 7.0.16 and FortiProxy from version 7.2.0 to 7.2.12, as well as from version 7.0.0 to 7.0.19.

When exploited, it can allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests.

It was disclosed by Fortinet in mid-January 2025 and attributed a high severity rating, with a CVSS base score of 8.1.

Users were advised to install patched versions 7.0.17, 7.2.13 and 7.0.20.

On March 12, Forescout revealed that Mora_001, a ransomware group with connections to LockBit, was exploiting CVE-2025-24472 alongside CVE-2024-55591, another Fortinet vulnerability, when deploying a novel ransomware strain dubbed ‘SuperBlack.’

On March 18, CISA confirmed the information, adding CVE-2025-24472 to its Known Exploited Vulnerabilities (KEV) catalog.

Related Articles

CVE-2024-55591 was added to CISA’s KEV catalog in January.

Exploited Flaw in Crucial Github Action Framework

Alongside the Fortinet vulnerability, CISA added CVE-2025-30066 to its KEV catalog.

This supply chain vulnerability affecting the popular tj-actions/changed-files GitHub Action impacted over 23,000 organizations.

GitHub Actions are continuous integration and continuous delivery (CI/CD) platforms designed to streamline the building, testing and deployment of code.

While little known by the broader public, many open source frameworks such as GitHub Actions are the building blocks of the tech stack many organizations rely on.

The incident occurred on March 14, when attackers modified the code and updated multiple version tags to reference the malicious commit, exposing CI/CD secrets in GitHub Actions build logs.

All versions of tj-actions/changed-files were affected and the vulnerability was attributed a CVSS base score of 8.6. They all have now been corrected and sanitized by GitHub.

However, organizations should verify if they have a previous version installed.

Photo credit: photo_gonzo/JHVEPhoto/Shutterstock

20.03.2025
0 28 1 minute read
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button