FortiSwitch GUI Unverified Password Change Remote Attack
CVE-2024-48887 Published on April 8, 2025
A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request
Vulnerability Analysis
CVE-2024-48887 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Products Associated with CVE-2024-48887
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-48887 are published in Fortinet Fortiswitch:
Affected Versions
Fortinet FortiSwitch:- Version 7.6.0 is affected.
- Version 7.4.0, <= 7.4.4 is affected.
- Version 7.2.0, <= 7.2.8 is affected.
- Version 7.0.0, <= 7.0.10 is affected.
- Version 6.4.0, <= 6.4.14 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.