Fortinet

Security Advisory

Critical Flaw in FortiSwitch of Fortinet Allows Attackers to Change Admin Password

An unverified password change vulnerability [CWE-620] in FortiSwitch GUI discovered.

This may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request as per Fortinet advisory released.

Summary

OEMFortinet 
SeverityCRITICAL
CVSS Score9.8
CVEsCVE-2024-48887
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Fortinet’s FortiSwitch product line has revealed a significant vulnerability noted as CVE-2024-48887. This flaw allows unauthenticated remote attackers to change administrative passwords by sending specially crafted requests to the device’s password management endpoint. With a CVSS score of 9.8, the vulnerability is classified as Critical and is actively being exploited in the wild.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
A unverified password change vulnerability  CVE-2024-48887Fortinet   CRITICAL  9.8

Technical Summary

A critical vulnerability (CVE-2024-48887) has been identified in Fortinet FortiSwitch devices, affecting versions 6.4.0 through 7.6.0. This flaw resides in the web-based management interface and allows remote, unauthenticated attackers to change administrator passwords by sending a specially crafted HTTP request to the set_password endpoint.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2024-48887  FortiSwitch v7.6, 7.4, 7.2, 7.0, 6.4CVE-2024-48887 is an unauthenticated password change vulnerability in FortiSwitch web GUI.
It enables remote unauthenticated attackers to modify admin passwords through crafted requests to the set_password endpoint.		    Unverified Password Change

Remediation:

  • Apply Security Patches: Install the latest security update for your FortiSwitch version. Fortinet has fixed the issue in 6.4.15 and above,7.0.11 and above,7.2.9 and above,7.4.5 and above,7.6.1 and above versions.

General Recommendations

  • Update Devices Regularly always install the latest firmware and security patches from Fortinet to fix known vulnerabilities.
  • Limit access to the FortiSwitch web GUI to trusted IP addresses and disable HTTP/HTTPS access if it is not required.
  • Set strong and unique passwords and change them regularly to prevent unauthorized access.
  • Monitor unusual Activity for suspicious logins or configuration changes.

Conclusion:


The CVE-2024-48887 vulnerability poses a serious security risk to organizations using affected FortiSwitch devices. Its ease of exploitation and the lack of authentication required make it particularly dangerous.

Organizations must act immediately by applying the relevant security patches, limiting administrative access, and monitoring for unusual activity.

References:

Security Advisory

Authentication Bypass Vulnerability in FortiOS & FortiProxy 

Summary 

A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.

OEM Fortinet 
Severity Critical 
CVSS 9.6 
CVEs CVE-2025-24472 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Authentication Bypass Vulnerability CVE-2025-24472 FortiOS FortiProxy Critical  FortiOS v7.0 – v7.0.16   FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 

Technical Summary 

CVE ID Vulnerability Details Impact 
  CVE-2025-24472   An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests.   Execute unauthorized code or commands 

Recommendations

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below 
Version Fixes and Releases 
FortiOS 7.0 – 7.0.16 Upgrade to 7.0.17 or latest version 
FortiProxy 7.0 – 7.0.19 Upgrade to 7.0.20 or latest version 
FortiProxy 7.2 – 7.2.12 Upgrade to 7.2.13 or latest version 

Workarounds: 

Below are some workarounds provided by the Fortinet team. 

  • Disable HTTP/HTTPS administrative interface 
  • Limit IP addresses that can reach the administrative interface via local-in policies 

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

References: 

Security Advisory

Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation

Summary

Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products. 

A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.

OEMFortinet
SeverityCritical
CVSS9.6
CVEsCVE-2024-55591
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.

The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.

Vulnerability NameCVE IDProduct AffectedSeverity
  Authentication Bypass Vulnerability  CVE-2024-55591  FortiOS and FortiProxy  Critical

Technical Summary

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.

Impact by Region (Unpatched Devices)

  • Asia: 20,687 devices
  • North America: 12,866 devices
  • Europe: 7,401 devices
CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-55591FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges.Unauthorized administrative access, credential extraction, and lateral movement.

Remediation:

  1. Upgrade Firmware:
  2. FortiOS: Update to version 7.0.17 or latest
  3. FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
  • Restrict Administrative Interface Access:
  • Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
  • Enable Multi-Factor Authentication (MFA):
  • Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
  • Monitor Suspicious Activities:
  • Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.

Conclusion:

The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.

References:

Hashtags

Scroll to top