Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN217 _____________________________________________________________________ DATE : 08/04/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiSwitch versions prior to 7.6.1, 7.4.5, 7.2.9, 7.0.11, 6.4.15. ===================================================================== https://fortiguard.fortinet.com/psirt/FG-IR-24-435 _____________________________________________________________________ Unverified password change via set_password endpoint Summary An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request. Version Affected Solution FortiSwitch 7.6 7.6.0 Upgrade to 7.6.1 or above FortiSwitch 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiSwitch 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above FortiSwitch 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or above FortiSwitch 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above Workaround Disable HTTP/HTTPS Access from administrative interfaces Configure trusted hosts to limit the hosts that can connect to the system: config system admin edit set {trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10} next end Acknowledgement Internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team Timeline 2025-04-08: Initial publication IR Number FG-IR-24-435 Published Date Apr 8, 2025 Component GUI Severity Critical CVSSv3 Score 9.3 Impact Escalation of privilege CVE ID CVRF Download ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================