Fortinet has released urgent security patches for a critical vulnerability affecting its FortiSwitch product, alongside fixes for nine other security issues spanning its broader product line.
The most severe of the flaws, CVE-2024-48887, carries a CVSS score of 9.3 and impacts FortiSwitch versions 6.4 to 7.6. This high-risk bug could allow unauthenticated remote attackers to change administrative passwords through a maliciously crafted request to the FortiSwitch web interface.
Fortinet’s advisory explains, “An unverified password change vulnerability in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request.” To help mitigate this threat, the company recommends disabling HTTP/HTTPS administrative access and limiting trusted hosts that can connect to the device.
To fully remediate the issue, users should upgrade to the patched versions:
- FortiSwitch 6.4.15
- FortiSwitch 7.0.11
- FortiSwitch 7.2.9
- FortiSwitch 7.4.5
- FortiSwitch 7.6.1
More High-Severity Vulnerabilities in Fortinet Products
Fortinet has also patched CVE-2024-26013 and CVE-2024-50565, both classified as high-severity vulnerabilities. These flaws could allow attackers to conduct man-in-the-middle (MitM) attacks and intercept FGFM authentication requests between management systems and connected devices. In some cases, attackers could even impersonate key components such as FortiManager or FortiCloud.
The root cause is linked to improper restriction of communication channels, affecting a wide range of products including:
- FortiOS
- FortiProxy
- FortiManager
- FortiAnalyzer
- FortiVoice
- FortiWeb
FortiIsolator OS Command Injection Vulnerability
Another major concern is CVE-2024-54024, a high-severity OS command injection bug in FortiIsolator. This vulnerability allows an authenticated attacker with super-admin and CLI access to execute arbitrary commands via crafted HTTP requests. While this requires elevated access, it still poses a serious risk in compromised environments.
Additional Medium and Low Severity Fixes
Alongside the critical and high-severity issues, Fortinet addressed several medium- and low-severity vulnerabilities, including:
- An OS command injection issue in FortiIsolator
- A log pollution flaw in FortiManager and FortiAnalyzer
- A user management bug in FortiWeb’s widget dashboard
- A path traversal issue in FortiWeb
- An insufficient credentials protection flaw in FortiOS
- A web page input neutralization flaw in FortiClient
Although none of the patched vulnerabilities have been exploited in the wild—according to Fortinet—security experts strongly urge users to apply updates immediately. Fortinet devices are often targeted by threat actors shortly after security flaws are publicly disclosed.
