Fortinet has released a security update to address critical security flaws affecting Fortiswitch. This allows an attacker to make an unauthorized change of passwords.
The vulnerability tracked as CVE-2024-48887 has a CVSS score of 9.3 out of a maximum of 10.0.
“Unverified passwords change vulnerability [CWE-620] In Fortiswitch, the GUI may allow remote authorized attackers to change administrator passwords via specially created requests,” Fortinet said in an advisory released today.
The drawbacks affect the next version –
Fortiswitch 7.6.0 (upgraded to 7.6.1 or later) Fortiswitch 7.4.0 to 7.4.4 (7.4.5 or later) Fortiswitch 7.2.0 to 7.2.8 (upgraded to 7.2.9 or later) Fortiswitch 7.0.0 to 7.0.10 (upgraded to 7.0.11 or later), Fortiswitch 6.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.4.0.6.4.15 or later)
The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the Fortiswitch Web UI Development team.
As a workaround, Fortinet recommends disabling HTTP/HTTPS access from the management interface and restricting access to the system to only trusted hosts.
Although there is no evidence that the vulnerability has been exploited, many security flaws affecting Fortinet products have been weaponized by threat actors, and it is essential that users move quickly to apply patches.
Source link
