Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.
The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet said in an advisory released today.
The shortcoming impacts the following versions –
- FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
- FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
- FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
- FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
- FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)
The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team.
As workarounds, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and restricting access to the system to only trusted hosts.
While there is no evidence that the vulnerability has been exploited, a number of security flaws affecting Fortinet products have been weaponized by threat actors, making it essential that users move quickly to apply the patches.
