News

Fortinet vulnerability exploited in ‘SuperBlack’ ransomware attacks, CISA confirms

Neeraj KumarComments Off on Fortinet vulnerability exploited in ‘SuperBlack’ ransomware attacks, CISA confirms

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to organizations, confirming that a critical vulnerability in Fortinet products is being actively exploited in an ongoing ransomware campaign.

The agency has also added a separate supply chain vulnerability affecting the widely used GitHub Actions platform to its Known Exploited Vulnerabilities (KEV) catalog.

The Fortinet vulnerability, designated CVE-2025-24472, allows remote attackers to gain super-administrator privileges through crafted CSF proxy requests. This authentication bypass using an alternate path affects multiple versions of FortiOS and FortiProxy, specifically FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.2.0 to 7.2.12, as well as versions 7.0.0 to 7.0.19.

Fortinet initially disclosed the vulnerability in mid-January 2025, assigning it a high severity rating with a CVSS base score of 8.1. The company urged users to immediately apply patches, specifically installing versions 7.0.17, 7.2.13, and 7.0.20.

On March 12, cybersecurity firm Forescout revealed that the ransomware group Mora_001, suspected of ties to the notorious LockBit operation, was actively exploiting CVE-2025-24472 alongside another Fortinet vulnerability, CVE-2024-55591, in the deployment of a new ransomware strain known as “SuperBlack.”

CVE-2024-55591 had already been added to CISA’s KEV catalog in January.

CISA confirmed Forescout’s findings on March 18, adding CVE-2025-24472 to its KEV catalog and highlighting the urgency of patching affected systems.

In a separate but equally concerning development, CISA also added CVE-2025-30066 to its KEV catalog. This vulnerability affects the popular tj-actions/changed-files GitHub Action, a crucial component of many organizations’ continuous integration and continuous delivery (CI/CD) pipelines. GitHub Actions are widely used to automate the building, testing, and deployment of software.

The supply chain compromise, which occurred on March 14, saw attackers modify the code and update multiple version tags to point to a malicious commit. This action exposed sensitive CI/CD secrets within GitHub Actions build logs, potentially impacting over 23,000 organizations.

All versions of tj-actions/changed-files were affected, and the vulnerability was assigned a CVSS base score of 8.6. GitHub has since corrected and sanitized the affected versions.

Neeraj Kumar

Related Articles
News World

World Cup Final France Vs Croatia: How To Watch the Match Live On TV And Online Live Stream

Y. K. Sharma

France and Croatia have qualified for the World Cup Football 2018 final which will be played on Sunday, July 15, at 11 a.m. ET. In first semifinal, France – the pre-tournament favorite – beat Belgium to reserve a berth in the final. In second semifinal, Croatia proved doubters wrong to beat England 2-1 and move […]
News Technology

Ashok Vemuri Selected as the New CEO of Xerox’s Post-split BPO Business

Sushil Joshi

  Xerox Corp has selected Ashok Vemuri as the new chief executive of its BPO unit after the split of the company into two publicly traded entities. Vemuri – who has previously worked at Infosys Ltd in various roles for 14 years – will join Xerox effective July 1. He will serve as CEO of […]
News Technology

Instagram Now has 700 Million Users

Sushil Joshi

On Wednesday, the photo-sharing service Instagram announced that it now has 700 million users. Instagram reached 600 million users in December 2016 and took just four month to add 100 million new users. “We’re thrilled to announce that our community has grown to more than 700 million Instagrammers. And the last 100 million of you […]