April 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Dell Issues Warning on Critical PowerScale OneFS Vulnerabilities Enabling User Account Takeover
April 10, 2025Oracle Acknowledges Security Incident on Outdated Servers
April 10, 2025Dell Issues Warning on Critical PowerScale OneFS Vulnerabilities Enabling User Account Takeover
April 10, 2025Oracle Acknowledges Security Incident on Outdated Servers
April 10, 2025
Severity
Medium
Analysis Summary
Fortinet has released security patches for a critical vulnerability in FortiSwitch devices, identified as CVE-2024-48887, which allows remote, unauthenticated attackers to change administrator passwords. Discovered internally by FortiSwitch web UI team, the flaw is flagged high in severity.
Attackers can exploit it with a low-complexity, no-interaction attack by sending a specially crafted request to the set_password endpoint of the FortiSwitch GUI. The vulnerability affects FortiSwitch versions from 6.4.0 up to 7.6.0. Fortinet addressed the issue in FortiSwitch versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1. Those unable to immediately update are advised to disable HTTP/HTTPS administrative access and restrict device access to trusted hosts as a temporary workaround.
In addition to CVE-2024-48887, Fortinet also patched other vulnerabilities, including an OS command injection flaw (CVE-2024-54024) in FortiIsolator, and man-in-the-middle vulnerabilities (CVE-2024-26013 and CVE-2024-50565) affecting FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb. Fortinet products are frequent targets for attackers, with several vulnerabilities exploited as zero-days before patches are released.
In December, Chinese hackers used a zero-day in FortiClient Windows VPN client to steal credentials via the DeepData toolkit. Another flaw, CVE-2024-47575 ("FortiJump"), was exploited to breach over 50 servers since June 2024. Fortinet has also recently disclosed two more vulnerabilities, CVE-2024-55591 and CVE-2025-24472, both exploited in ransomware attacks.
Impact
- Unauthorized Access
- Credential Theft
Indicators of Compromise
CVE
CVE-2024-48887
CVE-2024-54024
CVE-2024-26013
CVE-2024-50565
CVE-2024-47575
CVE-2024-55591
CVE-2025-24472
Affected Vendors
- Fortinet
Affected Products
- Fortinet FortiSwitch - 7.6.0 - 7.4.0 - 7.2.0 - 7.0.0 - 6.4.0
Remediation
- Refer to FortiGuard Security Advisory for patch, upgrade, or suggested workaround information.
- Enforce strong, unique passwords for all administrative accounts after patching.
- Enable multi-factor authentication (MFA) for administrative access where possible.
- Regularly audit administrative accounts to detect any unauthorized changes.
- Limit use of web-based management interfaces and prefer secure, out-of-band management when available.
- Deploy Intrusion Detection/Prevention Systems (IDS/IPS) to monitor for exploitation attempts targeting Fortinet devices.
- Backup device configurations securely before patching in case a rollback is needed.
- Conduct vulnerability scans to ensure no unpatched devices are exposed.
- Apply least privilege principles by giving users the minimum access necessary.
- Review and tighten API permissions and endpoints like set_password to prevent abuse.
- Train IT staff to recognize signs of Fortinet-specific exploitation attempts and phishing.
- Monitor Fortinet logs for suspicious activities, especially related to password changes or administrative access.
- Create an incident response plan specific to Fortinet device compromise scenarios.
