Fortinet has launched safety updates to handle a vital safety flaw impacting FortiSwitch that would allow an attacker to make unauthorized password modifications.
The vulnerability, tracked as CVE-2024-48887, carries a CVSS rating of 9.3 out of a most of 10.0.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI could enable a distant unauthenticated attacker to switch admin passwords by way of a specifically crafted request,” Fortinet stated in an advisory launched at this time.
The shortcoming impacts the next variations –
- FortiSwitch 7.6.0 (Improve to 7.6.1 or above)
- FortiSwitch 7.4.0 by 7.4.4 (Improve to 7.4.5 or above)
- FortiSwitch 7.2.0 by 7.2.8 (Improve to 7.2.9 or above)
- FortiSwitch 7.0.0 by 7.0.10 (Improve to 7.0.11 or above), and
- FortiSwitch 6.4.0 by 6.4.14 (Improve to six.4.15 or above)
The community safety firm stated the safety gap was internally found and reported by Daniel Rozeboom of the FortiSwitch net UI improvement staff.
As workarounds, Fortinet recommends disabling HTTP/HTTPS entry from administrative interfaces and limiting entry to the system to solely trusted hosts.
Whereas there is no such thing as a proof that the vulnerability has been exploited, a variety of safety flaws affecting Fortinet merchandise have been weaponized by risk actors, making it important that customers transfer shortly to use the patches.