Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎04-23-2025 02:40 AM

Article Id 388659

Technical Tip: Concerning Vulnerability CVE-2024-48887 [FG-IR-24-435]

Description This article describes the necessary steps to mitigate the vulnerability CVE-2024-48887 [FG-IR-24-435].
Scope FortiSwitch v6.4, v7.0, v7.2, v7.4, v7.6.
Solution

FortiSwitch is affected by this vulnerability only if its GUI (HTTP/HTTPS) is accessible to unauthorized devices.

 

Even when FortiSwitch is managed, it remains vulnerable only if there is a policy or route configured that originates from the FortiLink interface and allows access to the FortiSwitch GUI from an external network.


If no such policy or route exists, and the GUI is inaccessible to unauthorized devices, then the vulnerability cannot be exploited.

 

As stated in Fortinet PSIRT Advisory PSIRT Unverified password change via set_password endpoint (FG-IR-24-435), the recommended workaround is to disable HTTP/HTTPS access and configure trusted hosts.

 

  • Disabling HTTP/HTTPS access fully mitigates the vulnerability by preventing GUI-based access to FortiSwitch.
  • Configuring trusted hosts does not fully eliminate the risk, but it helps reduce the attack surface by restricting access to specific IP addresses.


Configuring Trusted Hosts on Standalone FortiSwitch:

 

config system admin
    edit admin
        set trusthost1 10.10.1.0 255.255.255.0
    next
end


Note: This configuration allows devices within the 10.10.1.0/24 subnet to access FortiSwitch.

 

Configuring Trusted Hosts on Managed FortiSwitch. The below config is done on the FortiGate and applied to FortiSwitch: Refer to 'Executing custom FortiSwitch scripts'.

 

config switch-controller custom-command
    edit "trusthost1"
        set command "config system admin %0a edit admin %0a set trusthost1 10.255.1.0 255.255.255.0 %0a next %0a end %0a"
end

 

config switch-controller managed-switch

    edit "S524DF4K1XXXXXXX"

        config custom-command

            edit 1

                set command-name "trusthost1"

            next

        end

    next

end

 

Note: The above example shows how to allow access to FortiSwitch from the 10.255.1.0/24 subnet, which is here assumed to be the FortiLink subnet.

 

Note for Managed FortiSwitch: Disabling HTTPS access on a FortiSwitch that is managed by a FortiGate is not recommended because configuration push from FortiGate to FortiSwitch relies on port 443 (HTTPS). Disabling HTTPS in this scenario would prevent configuration synchronization and management.

 

Best Recommendation: Upgrade FortiSwitch to a Fixed Version.

 

FortiSwitch v7.6.0 → Upgrade to v7.6.1 or above.
FortiSwitch v7.4.0 to v7.4.4 → Upgrade to v7.4.5 or above.
FortiSwitch v7.2.0 to v7.2.8 → Upgrade to v7.2.9 or above.
FortiSwitch v7.0.0 to v7.0.10 → Upgrade to v7.0.11 or above.
FortiSwitch v6.4.0 to v6.4.14 → Upgrade to v6.4.15 or above.
850
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.