Gerenciamento de patches
Segurança

Fortinet Advises Upgrades to Fix Critical FortiSwitch Admin Password Vulnerability

Fortinet is urging all users to upgrade their FortiSwitch devices to mitigate a critical security vulnerability identified as CVE-2024-48887, with a CVSS score of 9.3. This vulnerability could enable unauthorized password changes via a specially crafted HTTP request, allowing attackers to override administrative access.

Affected versions and updates

The vulnerability impacts the following FortiSwitch versions:

  • FortiSwitch 7.6.0 → Update to 7.6.1 or later
  • FortiSwitch 7.4.0–7.4.4 → Update to 7.4.5 or later
  • FortiSwitch 7.2.0–7.2.8 → Update to 7.2.9 or later
  • FortiSwitch 7.0.0–7.0.10 → Update to 7.0.11 or later
  • FortiSwitch 6.4.0–6.4.14 → Update to 6.4.15 or later

This flaw, discovered in-house by Daniel Rozeboom from the FortiSwitch Web UI team, arises due to insufficient input validation on the system’s GUI (graphical user interface).

Although there’s no evidence of this vulnerability being exploited yet, Fortinet products have historically been targeted by threat actors. Hence, prioritizing this patch is imperative.

Mitigation measures until update

Fortinet urges users to patch their systems immediately. For those unable to update right away, temporary mitigations include disabling HTTP/HTTPS access from administrative interfaces and restricting trusted host access through CLI configurations.

Additionally, it is recommended to follow these best practices:

  • Monitor system logs for suspicious activities and unauthorized password changes.
  • Enable multi-factor authentication (MFA) wherever possible.

Fast action required

The severity of this vulnerability cannot be underestimated. Applying the patch promptly will not only secure your network but also prevent potential exploitation. For more details, refer to the Fortinet PSIRT advisory here.

Stay proactive and ensure your environment is up to date to safeguard your systems from future risks.

Joe Kern is Director Product Marketing at N‑able

© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.

Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.

As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.