US CERT Current Activity

Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066

Mar 18, 2025

A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. This has been patched in v46.0.1.  CISA added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog.  CISA strongly urges users to implement the recommendations to mitigate this compromise and strengthen security when using third-party actions.   See the following resources for more guidance:  GitHub: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs   GitHub: Security hardening for GitHub Actions - GitHub Docs  GitHub: tj-actions/changed-files: :octocat: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories  StepSecurity: Harden-Runner detection: tj-actions/changed-files action is compromised  Wiz: GitHub Action tj-actions/changed-files supply chain attack  Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.   This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise. 

Continue Reading ›

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Mar 18, 2025

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Continue Reading ›

CISA Releases Seven Industrial Control Systems Advisories

Mar 18, 2025

CISA released seven Industrial Control Systems (ICS) advisories on March 18, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-077-01 Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) ICSA-25-077-02 Rockwell Automation Lifecycle Services with VMware ICSA-25-077-03 Schneider Electric EcoStruxure Power Automation System ICSA-25-077-04 Schneider Electric EcoStruxure Panel Server ICSA-25-077-05 Schneider Electric ASCO 5310/5350 Remote Annunciator  ICSA-24-352-04 Schneider Electric Modicon (Update A) ICSA-24-291-03 Mitsubishi Electric CNC Series (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Continue Reading ›

Pages

Related Content