Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw

Avatar
Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes. The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0. “An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify
[[{“value”:”

Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.

“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet said in an advisory released today.

The shortcoming impacts the following versions –

FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)

The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team.

As workarounds, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and restricting access to the system to only trusted hosts.

While there is no evidence that the vulnerability has been exploited, a number of security flaws affecting Fortinet products have been weaponized by threat actors, making it essential that users move quickly to apply the patches.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Amazon EC2 SSM Agent Flaw Patched After Privilege Escalation via Path Traversal

Next Post

CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats

Related Posts

CISO Indonesia

[[{“value”:” December 3, 2024Location: Pullman Thamrin Jakarta, Indonesiawebsite: https://ciso-id.coriniumintelligence.com/ EC-Council is excited to be an Industry Partner for…
Avatar
Read More

Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution

A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. "The vulnerability allows an attacker with network access to an Erlang/OTP SSH
Avatar
Read More