Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw

Avatar
Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes. The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0. “An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify
[[{“value”:”

Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.

“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet said in an advisory released today.

The shortcoming impacts the following versions –

FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)

The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team.

As workarounds, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and restricting access to the system to only trusted hosts.

While there is no evidence that the vulnerability has been exploited, a number of security flaws affecting Fortinet products have been weaponized by threat actors, making it essential that users move quickly to apply the patches.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Amazon EC2 SSM Agent Flaw Patched After Privilege Escalation via Path Traversal

Next Post

CISA, experts warn of Crush file transfer attacks as ransomware gang makes threats

Related Posts

OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers

A novice cybercrime actor has been observed leveraging the services of a Russian bulletproof hosting (BPH) provider called Proton66 to facilitate their operations. The findings come from DomainTools, which detected the activity after it discovered a phony website named cybersecureprotect[.]com hosted on Proton66 that masqueraded as an antivirus service. The threat intelligence firm said it
Avatar
Read More

Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp

Multiple suspected Russia-linked threat actors are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code
Avatar
Read More