- Fortinet found an escalation of privilege defects in multiple versions of Fortiswitch
- The defect received a critical gravity score
- A patch and mitigation measure are available
Fortinet has paved a critical gravity vulnerability in Fortiswitch that allowed malicious actors to change the user login credentials.
In a brief security notice published earlier this week, the company detailed the escalation of the privilege failure, the Fortiswitch versions that were affected and suggested a solution for those who cannot stop things immediately.
The error is tracked as Swe-620, and it was given a gravity score of 9.3/10 (critic). According to NVD, it is traced as CVE-2024-48887 and has an even worse gravity score: 9.8/10. Apparently, the error was found in the password restoration form, which can also be forced to provide the original password.
Working around the mistake
“Do not use the” forgotten password functionality, “Miter Corporation explained in his advice. “But if you owe, be sure to provide information to the real user, for example, using an email address or a challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.”
The affected versions include Fortiswitch 6.4 to 6.4.14, 7.0 to 7.0.10, 7.2 to 7.2.8, 7.4 to 7.4.4 and 7.6. Users must be updated to the most recent version of the tool to mitigate the failure.
Those who cannot apply the corrections that implement the solution in their place and disable access HTTP/HTTPS from administrative interfaces are not recommended.
Fortinet Fortiswitch is a family of high -performance insurance Ethernet switches designed to integrate closely with Fortinet’s safety fabric, particularly Foregate Firewalls. It is mainly used in business environments, which makes it a very wanted objective. Firewalls, switches and centers are an excellent trampoline throughout the network of objectives and towards larger and more bold objectives.
Through The hacker news
