Source URL: https://www.cisa.gov/news-events/alerts/2025/03/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
Source: Alerts
Title: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Feedly Summary: CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
AI Summary and Description: Yes
Summary: The text discusses recent additions to CISA’s Known Exploited Vulnerabilities Catalog, highlighting critical vulnerabilities that pose risks to federal networks. CISA’s Binding Operational Directive 22-01 emphasizes the importance of timely remediation, urging all organizations to prioritize addressing these vulnerabilities.
Detailed Description:
The provided text focuses on two newly identified vulnerabilities that have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. These vulnerabilities are noteworthy due to their potential impact on federal cybersecurity and the implications they hold for broader security practices among all organizations.
– **New Vulnerabilities Identified:**
– **CVE-2025-24472:** This vulnerability relates to Fortinet’s FortiOS and FortiProxy, specifically an authentication bypass issue which can allow unauthorized access.
– **CVE-2025-30066:** This specifically addresses an embedded malicious code vulnerability within the tj-actions/changed-files GitHub Action.
– **Impact of These Vulnerabilities:**
– Such vulnerabilities serve as common attack vectors utilized by malicious actors.
– They represent significant risks particularly to federal enterprise networks, where security is paramount.
– **Binding Operational Directive (BOD) 22-01:**
– Established by CISA to address and manage known vulnerabilities within the federal landscape.
– It requires Federal Civilian Executive Branch (FCEB) agencies to remediate vulnerabilities by a specified due date to ensure the security of their networks against ongoing threats.
– **Broader Implications:**
– While BOD 22-01 specifically targets FCEB agencies, CISA advises all organizations to prioritize the remediation of known vulnerabilities. This is crucial for enhancing overall cybersecurity posture against potential attacks.
– CISA continues to evolve the catalog, adding vulnerabilities that meet specific risk criteria, suggesting a proactive approach to cybersecurity management.
Overall, the information contained in the text is vital for security and compliance professionals, as it highlights the necessity of addressing identified vulnerabilities and maintaining a robust vulnerability management program to defend against potential cyber threats.