Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.
The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.
“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet said in an advisory released today.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The shortcoming impacts the following versions –
- FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
- FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
- FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
- FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
- FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)
The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team.
As workarounds, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and restricting access to the system to only trusted hosts.
While there is no evidence that the vulnerability has been exploited, a number of security flaws affecting Fortinet products have been weaponized by threat actors, making it essential that users move quickly to apply the patches.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Amazon EC2 SSM Agent Flaw Patched After Privilege Escalation via Path Traversal