PT-2025-15476 · Fortinet · Fortiswitch
Published
2025-04-08
·
Updated
2025-04-18
·
CVE-2024-48887
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
FortiSwitch versions 6.4.0 through 7.6.0
Description:
A critical vulnerability in the FortiSwitch GUI allows remote, unauthenticated attackers to change admin passwords via a specially crafted request. This issue may give attackers control over vulnerable devices. The estimated number of potentially affected devices worldwide is over 2,000. No real-world incidents where this issue was exploited have been mentioned. Technical details about exploitation include the use of the
set password endpoint to change admin passwords without authentication.Recommendations:
To resolve the issue for each affected version, upgrade to the latest version:
- For versions 6.4.0 through 6.4.14, upgrade to 6.4.15.
- For versions 7.0.0 through 7.0.10, upgrade to 7.0.11.
- For versions 7.2.0 through 7.2.8, upgrade to 7.2.9.
- For versions 7.4.0 through 7.4.4, upgrade to 7.4.5.
- For versions 7.6.0, upgrade to 7.6.1. As a temporary workaround, consider disabling HTTP/HTTPS access to the administrative interface until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortiswitch