Critical Fortinet Flaw Allows Remote, Unauthenticated Admin Password Change

Fortinet has released an update for many versions of its FortiSwitch software to fix a vulnerability that can allow an attacker to change the admin password on vulnerable devices. 

CVE: CVE-2024-48887

Why it Matters: Well, because you don’t want remote, unauthenticated attackers to be able to change the admin password on a switch. That’s generally not expected behavior on a secure switching platform. The vulnerability has a CVSS score of 9.8 and is obviously rated as critical. Fortinet disclosed the flaw on Tuesday and released updates for the affected versions, which include FortiSwitch 6.4, 7.0, 7.2, 7.4, and 7.6. 

Key Details

• CVE-2024-48887 was discovered internally by a Fortinet developer and the company did not say that there is any known exploit activity against it

• In its advisory, Fortinet described the bug thusly: “An unverified password change vulnerability in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request.”

• There are two workarounds that can mitigate the vulnerability: disabling HTTP/HTTPS access from the admin interface, and limiting the hosts that can connect to the interface to only trusted hosts

• The updated versions that include the patch are 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1

This is one of those bugs that falls into the Go Patch Right Now category.