Summary

On April 8, 2025, Fortinet disclosed a critical vulnerability affecting multiple versions of FortiSwitch, tracked as CVE-2024-48887. This vulnerability is an unverified password change vulnerability in the FortiSwitch GUI. It allows unauthenticated attackers to execute arbitrary commands on the underlying system via specially crafted HTTP requests. Specifically, a remote attacker may change administrator passwords without authentication, making it possible to take control of affected devices. The issue has received a CVSSv3 score of 9.3, marking it as a critical security risk, especially for network infrastructure environments relying on FortiSwitch for network infrastructure.

Fortinet has released patches and urges all customers to upgrade immediately. This exploitation does not require authentication and the potential for lateral movement and unauthorized access makes this a critical risk in the current threat landscape.

Affected Systems and Applications

According to Fortinet’s PSIRT advisory FG-IR-24-435, the following versions are affected:

• FortiSwitch 7.6.0
• FortiSwitch 7.4.0 through 7.4.4
• FortiSwitch 7.2.0 through 7.2.8
• FortiSwitch 7.0.0 through 7.0.10
• FortiSwitch 6.4.0 through 6.4.14

Fortinet has released patched versions to address the issue:

• Upgrade to FortiSwitch 7.6.1 or above
• Upgrade to FortiSwitch 7.4.5 or above
• Upgrade to FortiSwitch 7.2.9 or above
• Upgrade to FortiSwitch 7.0.11 or above
• Upgrade to FortiSwitch 6.4.15 or above

Technical Details / Attack Overview

The vulnerability stems from improper input sanitization in the Web GUI’s HTTP request handling logic. Unauthenticated users can exploit this flaw by sending specially crafted HTTP requests that include command injection strings. This may allow attackers to change administrator credentials or execute system commands without prior authentication.

Temporary Workarounds and Mitigations

Kudelski Security recommends the following mitigations until the patch is applied:

• Apply vendor-provided security patches as soon as available
• Implement network segmentation to restrict direct access to management interfaces
• Use additional authentication mechanisms like multi-factor authentication (MFA)
• Monitor administrative password change logs
• Restrict GUI access from untrusted or external networks

No configuration change fully mitigates the risk — upgrading to the patched version is the only complete fix.

Detection Guidance

Security teams should implement the following detection strategies:

• Review Web GUI access logs for abnormal requests or unusual user agents.
• Monitor for unexpected system commands or script execution initiated from the GUI process.
• Check for password change activity originating from unauthenticated sessions

What the Cyber Fusion Center is Doing

• The Cyber Fusion Center (CFC) is actively monitoring exploitation attempts and evaluating threat intelligence for indicators of compromise (IOCs).
• A vulnerability plugin for Tenable and Qualys have not yet been released but are being tracked.
• The CFC is currently investigating if threat hunting rules can be deployed.
  • At this time, there is no evidence of a public proof-of-concept (PoC), and no confirmed exploitation in the wild

References

• https://www.fortiguard.com/psirt/FG-IR-24-435
• https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-48887
• https://cve.org/CVERecord?id=CVE-2024-48887
• https://www.tenable.com/cve/CVE-2024-48887