Unverified Password Change via set_password Endpoint
Published: April 8, 2025
Author: Gianclaudio Moresi, CISO & Founder of CISONode.com
Fortinet has released a critical security advisory addressing a serious vulnerability (CVE-2024-48887) in the FortiSwitch GUI, which allows remote unauthenticated attackers to perform unauthorized password changes on administrative accounts. This flaw, discovered internally by Fortinet’s own development team, highlights the continued importance of robust access control validation in enterprise network equipment.
🔍 Vulnerability Overview
- CVE ID: CVE-2024-48887
- CWE ID: CWE-620 – Unverified Password Change
- Impact: Remote Privilege Escalation
-
Component: FortiSwitch GUI (
set_passwordendpoint) - Severity: Critical
- CVSSv3 Score: 9.3
- Discovered by: Daniel Rozeboom, FortiSwitch Web UI Development Team
This vulnerability exists due to missing verification mechanisms in the GUI’s password change endpoint. By crafting a specific request, a threat actor can overwrite the password of an administrative user without authentication, effectively taking full control of the device.
🎯 Affected Versions and Remediation
| FortiSwitch Version | Affected Builds | Fixed In |
|---|---|---|
| 7.6 | 7.6.0 | 7.6.1 or above |
| 7.4 | 7.4.0 – 7.4.4 | 7.4.5 or above |
| 7.2 | 7.2.0 – 7.2.8 | 7.2.9 or above |
| 7.0 | 7.0.0 – 7.0.10 | 7.0.11 or above |
| 6.4 | 6.4.0 – 6.4.14 | 6.4.15 or above |
Recommendation: All organizations using affected FortiSwitch versions should upgrade immediately. Delaying the update could leave critical infrastructure vulnerable to complete compromise.
🛡️ Temporary Workaround
If immediate patching is not feasible, Fortinet recommends limiting exposure with the following workarounds:
1. Disable GUI Access (HTTP/HTTPS)
Block administrative access from external or untrusted interfaces.
2. Restrict Access to Trusted Hosts Only
Update admin profiles to restrict access via trusted IPs:
config system adminedit <admin_name>set trusthost1 <trusted_ip/mask>nextend
These measures will not eliminate the vulnerability but can significantly reduce risk while preparing for patch deployment.
🔒 Strategic Takeaways for CISOs
This incident underlines the growing necessity for:
- Continuous vulnerability monitoring and patch management across all network devices.
- Zero Trust principles even within internal networks – assume compromise is possible and isolate accordingly.
- Rigorous endpoint validation in internal development and third-party vendor software alike.
It also offers a moment of reflection: many security leaders focus heavily on application and identity security but overlook embedded and infrastructure management interfaces that often lack modern defenses like 2FA, request validation, and rate-limiting.