Fortinet has released security patches for a critical vulnerability in its FortiSwitch devices that can be exploited to change administrator passwords remotely.
The company says Daniel Rozeboom of the FortiSwitch web UI development team discovered the vulnerability (CVE-2024-48887) internally.
Unauthenticated attackers can exploit this unverified FortiSwitch GUI password change security flaw (rated with a 9.8/10 severity score) in low-complexity attacks that don’t require user interaction.
Fortinet says threat actors can change credentials using a specially crafted request sent via the set_password endpoint.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet says.
CVE-2024-48887 impacts multiple FortiSwitch versions, from FortiSwitch 6.4.0 and up to FortiSwitch 7.6.0, and was addressed in FortiSwitch versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1.
| Version | Affected | Patch |
|---|---|---|
| FortiSwitch 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiSwitch 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
| FortiSwitch 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiSwitch 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
| FortiSwitch 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
For those who can’t immediately apply the security updates released on Tuesday, Fortinet also provides a temporary workaround requiring them to disable ‘HTTP/HTTPS Access’ from administrative interfaces and restrict access to vulnerable FortiSwitch devices to trusted hosts.
On Tuesday, the company also patched an OS command injection (CVE-2024-54024) in FortiIsolator and flaws impacting FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb (CVE-2024-26013 and CVE-2024-50565) that unauthenticated attackers can exploit in man-in-the-middle attacks.
Fortinet vulnerabilities are often targeted in the wild, some exploited as zero days long before the company issues security patches.
For instance, in December, Chinese hackers used a DeepData post-exploitation toolkit to steal credentials using a zero-day (with no CVE ID) in Fortinet’s FortiClient Windows VPN client.
Another Fortinet FortiManager flaw, dubbed “FortiJump” and tracked as CVE-2024-47575, has been exploited as a zero-day to breach over 50 servers since June 2024.
More recently, Fortinet disclosed two more vulnerabilities (CVE-2024-55591 and CVE-2025-24472) in January and February, also exploited as zero days in ransomware attacks.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
