A critical vulnerability in Fortinet’s FortiSwitch devices allows attackers to remotely change administrator passwords. This FortiSwitch flaw, tracked as CVE-2024-48887, has been patched by Fortinet.
The vulnerability, discovered internally by Daniel Rozeboom of the FortiSwitch web UI development team, allows unauthenticated attackers to modify admin passwords using a specially crafted request sent to the set_password endpoint. Fortinet rates the severity as 9.8/10.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” states Fortinet.
This low-complexity attack requires no user interaction.
Multiple FortiSwitch versions are affected, ranging from 6.4.0 to 7.6.0. Patches are available in versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1. Fortinet provides a temporary workaround: disabling ‘HTTP/HTTPS Access’ from administrative interfaces and restricting access to trusted hosts for those unable to immediately update.
This FortiSwitch flaw is one of several vulnerabilities patched by Fortinet on Tuesday. Others include an OS command injection (CVE-2024-54024) in FortiIsolator, and flaws impacting FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb (CVE-2024-26013 and CVE-2024-50565). These vulnerabilities highlight the ongoing threat posed by unpatched network devices. Fortinet vulnerabilities are frequently exploited in the wild, often as zero-days.
Affected Versions and Patches:
- FortiSwitch 7.6: 7.6.0 – Upgrade to 7.6.1 or above
- FortiSwitch 7.4: 7.4.0 through 7.4.4 – Upgrade to 7.4.5 or above
- FortiSwitch 7.2: 7.2.0 through 7.2.8 – Upgrade to 7.2.9 or above
- FortiSwitch 7.0: 7.0.0 through 7.0.10 – Upgrade to 7.0.11 or above
- FortiSwitch 6.4: 6.4.0 through 6.4.14 – Upgrade to 6.4.15 or above
This FortiSwitch flaw allows remote attackers to change admin passwords, emphasizing the urgent need for security updates.
