Fortinet has launched safety patches for a essential vulnerability in its FortiSwitch units that may be exploited to alter administrator passwords remotely.
The corporate says Daniel Rozeboom of the FortiSwitch net UI improvement group found the vulnerability (CVE-2024-48887) internally.
Unauthenticated attackers can exploit this unverified FortiSwitch GUI password change safety flaw (rated with a 9.8/10 severity rating) in low-complexity assaults that do not require consumer interplay.
Fortinet says menace actors can change credentials utilizing a specifically crafted request despatched by way of the set_password endpoint.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI could enable a distant unauthenticated attacker to switch admin passwords by way of a specifically crafted request,” Fortinet says.
CVE-2024-48887 impacts a number of FortiSwitch variations, from FortiSwitch 6.4.0 and as much as FortiSwitch 7.6.0, and was addressed in FortiSwitch variations 6.4.15, 7.0.11, 7.2.9, 7.4.5, and seven.6.1.
| Model | Affected | Patch |
|---|---|---|
| FortiSwitch 7.6 | 7.6.0 | Improve to 7.6.1 or above |
| FortiSwitch 7.4 | 7.4.0 by 7.4.4 | Improve to 7.4.5 or above |
| FortiSwitch 7.2 | 7.2.0 by 7.2.8 | Improve to 7.2.9 or above |
| FortiSwitch 7.0 | 7.0.0 by 7.0.10 | Improve to 7.0.11 or above |
| FortiSwitch 6.4 | 6.4.0 by 6.4.14 | Improve to six.4.15 or above |
For individuals who cannot instantly apply the safety updates launched on Tuesday, Fortinet additionally gives a short lived workaround requiring them to disable ‘HTTP/HTTPS Entry’ from administrative interfaces and limit entry to susceptible FortiSwitch units to trusted hosts.
On Tuesday, the corporate additionally patched an OS command injection (CVE-2024-54024) in FortiIsolator and flaws impacting FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb (CVE-2024-26013 and CVE-2024-50565) that unauthenticated attackers can exploit in man-in-the-middle assaults.
Fortinet vulnerabilities are sometimes focused within the wild, some exploited as zero days lengthy earlier than the corporate points safety patches.
As an illustration, in December, Chinese language hackers used a DeepData post-exploitation toolkit to steal credentials utilizing a zero-day (with no CVE ID) in Fortinet’s FortiClient Home windows VPN consumer.
One other Fortinet FortiManager flaw, dubbed “FortiJump” and tracked as CVE-2024-47575, has been exploited as a zero-day to breach over 50 servers since June 2024.
Extra just lately, Fortinet disclosed two extra vulnerabilities (CVE-2024-55591 and CVE-2025-24472) in January and February, additionally exploited as zero days in ransomware assaults.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and easy methods to defend in opposition to them.
