CISA Warns of Active Ransomware Campaign Exploiting Fortinet Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of an active ransomware campaign exploiting a critical vulnerability in Fortinet products. The Mora_001 group, linked to LockBit, is using this flaw to deploy 'SuperBlack' ransomware.
The vulnerability, CVE-2025-24472, is an authentication bypass that affects various FortiOS and FortiProxy versions. It was disclosed by Fortinet in mid-January 2025 with a high severity rating and CVSS base score of 8.1. Exploiting this flaw allows remote attackers to gain super-admin privileges via crafted CSF proxy requests. CISA confirmed the exploitation and added it to its Known Exploited Vulnerabilities (KEV) catalog on March 18. Users are advised to install patched versions to mitigate the risk.
In a separate alert, CISA added CVE-2025-30066 to its KEV catalog. This supply chain vulnerability affects the tj-actions/changed-files GitHub Action, impacting over 23,000 organizations. The flaw exposed CI/CD secrets in GitHub Actions build logs, with a CVSS base score of 8.6. Affected organizations likely include software development companies, DevOps teams, and enterprises relying on GitHub Actions for CI/CD automation globally.
Organizations using Fortinet products and GitHub Actions are urged to address these vulnerabilities promptly. Patching affected systems and reviewing CI/CD pipelines for potential exposure can help mitigate the risk of ransomware attacks and data breaches.
