Date of Disclosure (source): April 8, 2025
CVE-2024-48887 is a critical vulnerability in Fortinet’s FortiSwitch GUI with a CVSS score of 9.8. If successfully exploited, it allows an unauthenticated attacker to change admin passwords via a specially crafted request.
This vulnerability is present in the following FortiSwitch versions:
- FortiSwitch 7.6 (patched in 7.6.1)
- FortiSwitch 7.4.0 – 7.4.4 (patched in 7.4.5)
- FortiSwitch 7.2.0 – 7.2.8 (patched in 7.2.9)
- FortiSwitch 7.0.0 – 7.0.10 (patched in 7.0.11)
- FortiSwitch 6.4.0 – 6.4.14 (patched in 6.4.15)
Fortinet additionally noted in their advisory that users should disable HTTP/HTTPS access from administrative interfaces and restrict access to trusted hosts to workaround the vulnerability.
At the time of writing, there is no evidence that this vulnerability is being actively exploited and while technical details are limited, CVE-2024-48887 does not require authentication to exploit and may allow an attacker to gain administrative access or full control of the device. Successful exploitation could provide a foothold into the network, potentially leading to the compromise of other infrastructure managed by the FortiSwitch. Given the severity of this vulnerability, customers should patch exposed instances as soon as possible.
| Field | Details |
|---|---|
| CVE-ID | CVE-2024-48887 – CVSS 9.8 (critical) – assigned by Fortinet, Inc. |
| Vulnerability Description | An unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request. |
| Date of Disclosure | April 8, 2025 |
| Affected Assets | Fortinet FortiSwitch GUI |
| Vulnerable Software Versions |
|
| PoC Available? | We did not observe any public exploits available at the time of writing. |
| Exploitation Status | We did not observe this vulnerability on CISA’s list of known exploited vulnerabilities or in GreyNoise at the time of writing. |
| Patch Status | This vulnerability has been patched in versions 7.6.1, 7.4.5, 7.2.9, 7.0.11, and 6.4.15. Fortinet has included steps for working around the vulnerability in their advisory. |
Censys Perspective
At the time of writing, Censys observed 864 exposed FortiSwitch Instances online. Note that not all instances observed are vulnerable as we do not have specific versions available.
Map of Exposed FortiSwitch Instances:
The queries below can be used to identify exposed instances of FortiSwitch, but they are not necessarily vulnerable to the exploit.
web.hardware: (vendor: “Fortinet” and product: “FortiSwitch”) or host.services.software: (vendor: “Fortinet” and product: “FortiSwitch”)
services.software: (vendor=”Fortinet” and product=”FortiSwitch”)
host.services.software: (vendor=”Fortinet” and product=”FortiSwitch”)
Please note that these fingerprints were recently deployed and results may take up to 24 hours to fully propagate.