137/68 Thursday, April 10, 2025
Fortinet has released a critical security patch addressing a vulnerability in FortiSwitch that could allow an attacker to change the administrator password without authentication. Tracked as CVE-2024-48887, the flaw carries a CVSS severity score of 9.3 out of 10, indicating a critical risk. According to Fortinet, the vulnerability stems from insufficient authentication checks in the GUI-based password change process, which can be exploited remotely through specially crafted HTTP requests.
The vulnerability affects the following FortiSwitch versions:
- FortiSwitch 7.6.0 (upgrade to 7.6.1 or later)
- FortiSwitch 7.4.0 through 7.4.4 (upgrade to 7.4.5 or later)
- FortiSwitch 7.2.0 through 7.2.8 (upgrade to 7.2.9 or later)
- FortiSwitch 7.0.0 through 7.0.10 (upgrade to 7.0.11 or later)
- FortiSwitch 6.4.0 through 6.4.14 (upgrade to 6.4.15 or later)
Although Fortinet has not yet observed this vulnerability being actively exploited, the company strongly urges customers to apply the latest updates immediately. As an additional precaution, administrators are advised to disable FortiSwitch GUI access via HTTP/HTTPS and limit access only to trusted management hosts while the patch is being deployed. These measures can significantly reduce exposure to unauthorized access in the interim.
Source https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html
