Fortinet has launched security updates to handle a essential security flaw impacting FortiSwitch that might allow an attacker to make unauthorized password modifications.
The vulnerability, tracked as CVE-2024-48887, carries a CVSS rating of 9.3 out of a most of 10.0.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI could enable a distant unauthenticated attacker to switch admin passwords through a specifically crafted request,” Fortinet mentioned in an advisory launched immediately.
The shortcoming impacts the next variations –
- FortiSwitch 7.6.0 (Improve to 7.6.1 or above)
- FortiSwitch 7.4.0 by 7.4.4 (Improve to 7.4.5 or above)
- FortiSwitch 7.2.0 by 7.2.8 (Improve to 7.2.9 or above)
- FortiSwitch 7.0.0 by 7.0.10 (Improve to 7.0.11 or above), and
- FortiSwitch 6.4.0 by 6.4.14 (Improve to six.4.15 or above)
The community security firm mentioned the security gap was internally found and reported by Daniel Rozeboom of the FortiSwitch internet UI growth staff.
As workarounds, Fortinet recommends disabling HTTP/HTTPS entry from administrative interfaces and proscribing entry to the system to solely trusted hosts.
Whereas there isn’t any proof that the vulnerability has been exploited, quite a few security flaws affecting Fortinet merchandise have been weaponized by menace actors, making it important that customers transfer shortly to use the patches.
