Here are the CVE updates for the week of March 17th through the 23rd.
CRITICAL SEVERITY VULNERABILITIES
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability | CVE-2025-30066 (CISA KEV)
Description: The CVE-2025-30066 vulnerability affects tj-actions changed-files versions before 46, allowing remote attackers to discover secrets by reading GitHub Actions logs. On March 14 and 15, 2025, a threat actor modified the tags (v1 through v45.0.7) to point at a malicious commit (0e58ed8) containing altered updateFeatures code. This malicious code potentially exposed sensitive secrets in the logs, such as API keys, tokens, or credentials.
Potential Impacts:
- Secret Leakage: Attackers could extract API keys, tokens, or credentials from the GitHub Actions logs.
- Privilege Escalation: Leaked secrets could be used to gain elevated access to systems or services.
- Code Tampering: Compromised access could lead to manipulation of code, deployment pipelines, or infrastructure.
- Supply Chain Attack: Attackers could inject malicious code into repositories, affecting downstream users.
Mitigation Recommendations:
- Update to Version 46 or Later: Upgrade to the patched version 46 of tj-actions changed-files to prevent secret exposure.
- Review GitHub Actions Logs: Check for any leaked secrets in the logs from the affected timeframe (March 14–15, 2025).
- Revoke and Rotate Secrets: Immediately revoke and rotate any secrets used in the affected GitHub Actions workflows.
- Enable GitHub Security Alerts: Monitor for suspicious activity or vulnerabilities in GitHub repositories.
- Validate Tags and Commits: Verify the authenticity of tags and commits before deployment, especially for GitHub Actions.
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability | CVE-2025-24472 (CISA KEV)
Description: The CVE-2025-24472 vulnerability is an Authentication Bypass Using an Alternate Path or Channel issue (CWE-288) affecting FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12 and 7.0.0 through 7.0.19. A remote, unauthenticated attacker can exploit this flaw by sending crafted CSF (Central Security Fabric) proxy requests. Successful exploitation may result in the attacker gaining super-admin privileges, granting full control over the affected FortiOS or FortiProxy system.
Potential Impacts:
- Privilege Escalation: Attackers could gain super-admin privileges, providing full control over the FortiOS or FortiProxy device.
- Data Breach: Unauthorized access could expose sensitive information stored or processed by the system.
- Service Disruption: Attackers may modify configurations, disrupt services, or introduce backdoors.
- Lateral Movement: Compromised devices could be used as a foothold for further attacks within the network.
Mitigation Recommendations:
- Apply Security Patches: Upgrade to the latest patched versions of FortiOS and FortiProxy to fix the vulnerability.
- Monitor Network Traffic: Inspect for unusual or suspicious CSF proxy requests to detect potential exploitation attempts.
- Restrict External Access: Limit external access to CSF proxy services to reduce exposure.
- Enable Multi-Factor Authentication (MFA): Strengthen authentication security to reduce the risk of unauthorized access.
- Review System Logs: Regularly audit logs for signs of unauthorized access or suspicious activity.
Edimax IC-7100 IP Camera OS Command Injection Vulnerability | CVE-2025-1316 (CISA KEV)
Description: The CVE-2025-1316 vulnerability affects the Edimax IC-7100 IP camera, which fails to properly neutralize requests. This flaw allows attackers to craft specially designed requests that exploit the improper input handling, leading to remote code execution (RCE) on the device. Successful exploitation grants attackers unauthorized access to the camera, potentially compromising its functionality and exposing sensitive data.
Potential Impacts:
- Remote Code Execution (RCE): Attackers can execute arbitrary commands on the device, gaining full control.
- Surveillance Hijacking: Unauthorized access could allow attackers to view or manipulate camera feeds.
- Data Exfiltration: Exploited cameras may reveal sensitive data such as video recordings or stored credentials.
- Network Compromise: An attacker could use the compromised camera as an entry point to pivot into the internal network.
- Device Bricking: Malicious commands could render the device inoperable.
Mitigation Recommendations:
- Apply Firmware Updates: Check for and install any available firmware patches from Edimax to fix the vulnerability.
- Restrict Remote Access: Limit or disable remote access to the camera’s admin interface.
- Use Network Segmentation: Isolate IoT devices, such as IP cameras, from the main network to prevent lateral movement.
- Enable Strong Authentication: Use strong, unique passwords for the camera’s admin interface to reduce the attack surface.
- Monitor for Suspicious Activity: Regularly review logs and network traffic for unusual or unauthorized access attempts.
- Disable Unnecessary Services: Turn off unused services or features to minimize potential attack vectors.
HIGH SEVERITY VULNERABILITIES
SAP NetWeaver Directory Traversal Vulnerability | CVE-2017-12637 (CISA KEV): The CVE-2017-12637 vulnerability is a directory traversal issue in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS within SAP NetWeaver Application Server Java 7.5. This flaw allows remote attackers to read arbitrary files by appending .. (dot dot) sequences in the query string. The vulnerability was actively exploited in the wild in August 2017, as documented in SAP Security Note 2486657.
NAKIVO Backup and Replication Absolute Path Traversal Vulnerability | CVE-2024-48248 (CISA KEV): The CVE-2024-48248 vulnerability affects NAKIVO Backup & Replication versions before 11.0.0.88174, allowing absolute path traversal through the getImageByPath parameter in the /c/router endpoint. This flaw enables attackers to read arbitrary files on the server. Due to the presence of cleartext credentials in the PhysicalDiscovery component, successful exploitation could lead to remote code execution (RCE) across the enterprise, granting attackers unauthorized access to critical systems.
Server-Side Template Injection (SSTI) Leading to RCE in AutoGPT | CVE-2025-1040: The CVE-2025-1040 vulnerability affects AutoGPT versions 0.3.4 and earlier, which are susceptible to Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE). The flaw originates from the improper handling of user-supplied format strings in the AgentOutputBlock implementation, where malicious input is processed by the Jinja2 templating engine without sufficient security measures. Attackers can exploit this vulnerability to execute arbitrary commands on the host system. The issue is resolved in version 0.4.0.
MEDIUM SEVERITY VULNERABILITIES
Improper Access Control in open-webui/open-webui | CVE-2024-7045: The CVE-2024-7045 vulnerability affects open-webui/open-webui version v0.3.8, where improper access control allows attackers to view any prompts. The application fails to verify whether the attacker has administrative privileges, enabling unauthorized users to directly call the /api/v1/prompts/ interface and retrieve all prompt information created by the admin, including ID values. Attackers can further exploit the /api/v1/prompts/command/{command_id} interface to obtain arbitrary prompt information.
Stored Cross-Site Scripting (XSS) in Adobe Experience Manager | CVE-2024-53970: The CVE-2024-53970 vulnerability affects Adobe Experience Manager (AEM) versions 6.5.21 and earlier, where a stored Cross-Site Scripting (XSS) flaw allows low-privileged attackers to inject malicious scripts into vulnerable form fields. When victims browse the page containing the compromised field, the malicious JavaScript is executed in their browser, potentially leading to session hijacking, data theft, or further exploitation.
Information Disclosure Vulnerability in AOS-CX CLI | CVE-2025-27080: The CVE-2025-27080 vulnerability affects the command line interface (CLI) of AOS-CX, where an authenticated remote attacker can exploit the flaw to expose sensitive information. Successful exploitation could allow the attacker to gain unauthorized access to services beyond the affected switch, potentially facilitating lateral movement across the network. This could lead to further compromise of adjacent systems or services.