> Fortinet's Security Concerns Raise Eyebrows with Latest Vulnerability Discovery

Fortinet - Another Vulnerability? Where is your Cyber Security At?

Blog - 04 - .fortinet_security_concerns_raise_eyebrows_with_latest_vulnerability_discovery_cve 2024 48887

Apr 9, 2025

Fortinet's Security Concerns Raise Eyebrows with Latest Vulnerability Discovery

The recent disclosure of CVE-2024-48887, a critical vulnerability in FortiSwitch devices, has sparked concerns about Fortinet's commitment to secure software development. Despite being discovered internally by the company, the fact that this vulnerability made it past the development phase and into production raises questions about the effectiveness of Fortinet's security protocols.

The vulnerability, which allows an attacker to change the admin password without authentication, is a stark reminder of the importance of adhering to basic OWASP principles. The lack of proper user input validation and poor authentication and authorization practices are shocking, especially considering the size and reputation of Fortinet. It's alarming that an attacker can exploit this vulnerability via a specially crafted HTTP request, highlighting the need for more robust security measures.

What's even more troubling is that the CVE has a 2024 prefix, yet it was publicly published on April 8, 2025, according to MITRE. This suggests that Fortinet may have had prior knowledge of the issue, raising concerns about the company's transparency and willingness to address security concerns in a timely manner.

The fact that a member of the UI development team discovered this vulnerability, rather than someone from the security team, is also noteworthy. It begs the question: are security professionals being adequately involved in the development process, or is security being treated as an afterthought?

Furthermore, the release of FortiSwitchOS 7.6.1, which fixes this vulnerability, reportedly occurred at the end of last year or early this year. This raises concerns about the speed at which Fortinet is pushing products to market, potentially compromising security in the process.

In today's digital landscape, it's unacceptable for a company of Fortinet's size and stature to release software with such glaring vulnerabilities. The tools and expertise are available to detect and prevent these types of issues, making it all the more surprising that they continue to occur.

As a potential customer, the thought of deploying FortiSwitches is daunting, given the cyber risk that Fortinet's equipment may impose. The company must take immediate action to address these concerns and demonstrate a commitment to secure software development.

To restore confidence in their products, Fortinet must provide transparent answers to the following questions:

  • What steps are being taken to ensure secure software development, including the implementation of SAST/DAST and security reviews?
  • Are security professionals being adequately involved in the development process, or is security being treated as an afterthought?
  • What measures are being taken to prevent similar vulnerabilities from occurring in the future?
  • How does Fortinet plan to prioritize security in its product development cycle, rather than rushing to market with potentially vulnerable software?

HackRange

Ultimate Security Mentorship

home about TOS login
100654

copyright ©2025 HackRange