Fortinet has released a security update to address critical security flaws affecting Fortiswitch. This allows an attacker to make an unauthorized change of passwords.
Tracked vulnerabilities CVE-2024-48887carry a CVSS score of 9.3 out of a maximum of 10.0.
“An unverified password change vulnerability in the Fortiswitch GUI (CWE-620) may allow remote, authenticated attackers to change their administrator passwords via specially created requests,” Fortinet said in an advisory released today.
The drawbacks affect the next version –
- Fortiswitch 7.6.0 (upgraded to 7.6.1 or higher)
- Fortiswitch 7.4.0 to 7.4.4 (upgraded to 7.4.5 or higher)
- Fortiswitch 7.2.0 to 7.2.8 (upgraded to 7.2.9 or higher)
- Fortiswitch 7.0.0 to 7.0.10 (upgraded to 7.0.11 or later), and
- Fortiswitch 6.4.0 to 6.4.14 (upgraded to 6.4.15 or higher)
The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the Fortiswitch Web UI Development team.
As a workaround, Fortinet recommends disabling HTTP/HTTPS access from the management interface and restricting access to the system to only trusted hosts.
Although there is no evidence that the vulnerability has been exploited, many security flaws affecting Fortinet products have been weaponized by threat actors, and it is essential that users move quickly to apply patches.
