The Cybersecurity and Infrastructure Security Agency (CISA) has significantly expanded its Known Exploited Vulnerabilities (KEV) catalog, adding two critical security flaws affecting Fortinet and GitHub Actions. These newly listed vulnerabilities (CVE-2025-24472 and CVE-2025-30066) pose serious risks to enterprise security and require immediate attention from IT administrators.

CISA's Growing Focus on Actively Exploited Vulnerabilities

CISA's KEV catalog serves as a critical resource for organizations to prioritize patching efforts against vulnerabilities being actively exploited in the wild. The latest additions continue the agency's pattern of identifying and publicizing security flaws that attackers are currently leveraging:

  • CVE-2025-24472: A severe authentication bypass in Fortinet's FortiOS
  • CVE-2025-30066: A privilege escalation vulnerability in GitHub Actions

Deep Dive: Fortinet FortiOS Authentication Bypass (CVE-2025-24472)

This critical vulnerability affects multiple versions of FortiOS, the operating system powering Fortinet's firewall solutions. Security researchers have observed active exploitation attempts targeting:

  • FortiOS 7.4.0 through 7.4.2
  • FortiOS 7.2.0 through 7.2.5
  • FortiOS 7.0.0 through 7.0.12

Impact: Successful exploitation allows attackers to bypass authentication mechanisms and gain administrative access to vulnerable devices. This could lead to complete network compromise, data exfiltration, and lateral movement within enterprise environments.

Mitigation: Fortinet has released patches for all affected versions. Organizations should:

  1. Immediately update to FortiOS 7.4.3, 7.2.6, or 7.0.13
  2. Review firewall logs for unusual authentication attempts
  3. Implement network segmentation for critical assets

GitHub Actions Privile Escalation (CVE-2025-30066)

This vulnerability in GitHub's CI/CD platform affects workflows using certain actions with improper permission handling. The flaw enables:

  • Unauthorized code execution in repository contexts
  • Potential compromise of sensitive GitHub tokens
  • Access to secrets stored in workflows

Affected Components:
- GitHub-hosted runners
- Self-hosted runners with default configurations
- Workflows using vulnerable third-party actions

Protective Measures:

  • Review all GitHub Actions workflows for unnecessary permissions
  • Update to GitHub's latest runner versions
  • Implement principle of least privilege for workflow permissions
  • Rotate all repository secrets as precaution

Enterprise Security Implications

These vulnerabilities present particular danger because:

  1. Critical Infrastructure Exposure: Fortinet devices often protect sensitive networks
  2. Software Supply Chain Risks: Compromised GitHub Actions can affect downstream applications
  3. Lateral Movement Potential: Both vulnerabilities enable deeper network penetration

CISA's Binding Operational Directive

Under BOD 22-01, all federal agencies must remediate these vulnerabilities within strict timelines:

Vulnerability Remediation Deadline
CVE-2025-24472 7 days from catalog addition
CVE-2025-30066 14 days from catalog addition

While these requirements specifically apply to federal agencies, CISA strongly recommends all organizations treat them with equal urgency.

Detection and Response Strategies

Security teams should implement these detection methods:

For Fortinet Devices:
- Monitor for unexpected configuration changes
- Watch for new administrative accounts
- Analyze authentication logs for anomalies

For GitHub Environments:
- Audit workflow runs for unexpected steps
- Monitor for unusual secret access
- Review runner utilization patterns

Long-Term Security Considerations

These vulnerabilities highlight several ongoing security challenges:

  • The increasing sophistication of authentication bypass attacks
  • Growing risks in CI/CD pipelines
  • Need for more robust secret management
  • Importance of timely patch management

Organizations should view these incidents as opportunities to strengthen their overall security posture beyond just applying the immediate fixes.

  1. Prioritize Patching: Apply vendor updates immediately
  2. Enhance Monitoring: Increase scrutiny of affected systems
  3. Review Access Controls: Verify principle of least privilege
  4. Update Incident Response Plans: Include these specific scenarios
  5. Conduct Security Awareness Training: Educate teams about new threats

CISA continues to update its KEV catalog as new threats emerge, making regular review of this resource an essential security practice for all organizations.