Fortinet has launched safety updates to handle a crucial safety flaw impacting FortiSwitch that might allow an attacker to make unauthorized password adjustments.
The vulnerability, tracked as CVE-2024-48887, carries a CVSS rating of 9.3 out of a most of 10.0.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI might enable a distant unauthenticated attacker to switch admin passwords through a specifically crafted request,” Fortinet mentioned in an advisory launched right now.
The shortcoming impacts the next variations –
- FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
- FortiSwitch 7.4.0 by 7.4.4 (Upgrade to 7.4.5 or above)
- FortiSwitch 7.2.0 by 7.2.8 (Upgrade to 7.2.9 or above)
- FortiSwitch 7.0.0 by 7.0.10 (Upgrade to 7.0.11 or above), and
- FortiSwitch 6.4.0 by 6.4.14 (Upgrade to six.4.15 or above)
The community safety firm mentioned the safety gap was internally found and reported by Daniel Rozeboom of the FortiSwitch net UI improvement staff.
As workarounds, Fortinet recommends disabling HTTP/HTTPS entry from administrative interfaces and limiting entry to the system to solely trusted hosts.
While there is no such thing as a proof that the vulnerability has been exploited, numerous safety flaws affecting Fortinet merchandise have been weaponized by risk actors, making it important that customers transfer rapidly to use the patches.