Critical vulnerability in FortiSwitch GUI allows unauthorized admin password change

Fortinet has released security updates addressing a critical vulnerability in FortiSwitch that could allow attackers to make unauthorized administrative password changes. 

The flaw is tracked as CVE-2024-48887 (CVSS score 9.3) and is classified as an unverified password change vulnerability in the FortiSwitch GUI. It allows remote unauthenticated attackers to modify admin passwords via specially crafted requests, leading to complete compromise of FortiSwitch instances. This vulnerability could enable attackers to gain unauthorized access to network infrastructure, steal data, or further compromise corporate networks.

The following FortiSwitch versions are affected:

• FortiSwitch 7.6.0
• FortiSwitch 7.4.0 through 7.4.4
• FortiSwitch 7.2.0 through 7.2.8
• FortiSwitch 7.0.0 through 7.0.10
• FortiSwitch 6.4.0 through 6.4.14

Fortinet has patched this vulnerability in their latest releases. Users are advised to upgrade to the following versions:

• FortiSwitch 7.6: Upgrade to 7.6.1 or above
• FortiSwitch 7.4: Upgrade to 7.4.5 or above
• FortiSwitch 7.2: Upgrade to 7.2.9 or above
• FortiSwitch 7.0: Upgrade to 7.0.11 or above
• FortiSwitch 6.4: Upgrade to 6.4.15 or above

For organizations that cannot immediately upgrade, Fortinet recommends the following mitigating measures:

1. Disable HTTP/HTTPS Access from administrative interfaces
2. Configure trusted hosts to limit the hosts that can connect to the system using the following command:

   config system admin
   edit <admin_name>
   set {trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10} <address_ipv4mask>
   next
   end

While there is no evidence that this vulnerability has been exploited in the wild, Fortinet products have historically been targeted by threat actors when vulnerabilities are disclosed. Organizations are strongly advised to patch affected systems.