Fortinet on Tuesday announced patches for 10 vulnerabilities across its products, including a critical-severity bug in FortiSwitch.
Tracked as CVE-2024-48887 (CVSS score of 9.3), the FortiSwitch issue could allow an attacker to modify administrative passwords, the company warns.
“An unverified password change vulnerability in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” reads Fortinet’s advisory.
Disabling HTTP/HTTPS access from administrative interfaces and limiting the hosts that can connect to the system should mitigate the flaw, the company says.
The bug impacts FortiSwitch versions 6.4 to 7.6 and was addressed with the release of FortiSwitch versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1.
Patches were also released for CVE-2024-26013 and CVE-2024-50565, two high-severity vulnerabilities that could allow unauthenticated attackers to perform man-in-the-middle (MitM) attacks, intercept FGFM authentication requests between management and managed devices, and impersonate the management device (either the FortiCloud server or FortiManager).
Described as ‘improper restriction of communication channel to intended endpoints’ bugs, the security defects impact FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb.
On Tuesday, Fortinet also announced fixes for CVE-2024-54024, a high-severity OS command injection flaw in FortiIsolator that could allow an authenticated attacker with super-admin privileges and CLI access to execute arbitrary code via crafted HTTP requests.
The company also released patches for four medium-severity issues, including an OS command injection bug in FortiIsolator, a log pollution flaw in FortiManager and FortiAnalyzer, an incorrect user management defect in the FortiWeb widgets dashboard, and a path traversal in FortiWeb.
An insufficiently protected credentials bug in FortiOS was also resolved, as well as an improper neutralization of input during web page generation issue in FortiClient, both low-severity.
Fortinet makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their appliances as soon as possible, as it is not uncommon for threat actors to exploit flaws in Fortinet products. Additional information can be found on the company’s PSIRT advisories page.
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
Related: Fortinet Patches 18 Vulnerabilities
Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities
Related: Fortinet Confirms New Zero-Day Exploitation
