Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.

"An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request," Fortinet said in an advisory released today.

The shortcoming impacts the following versions -

FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)

Please update as soon as possible and contact the Integrity360 Incident Response team if you notice any unexpected behaviour

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.