CVE-2024-33507
Published: 14 October 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2024-33507 involves an insufficient session expiration vulnerability (CWE-613) and an incorrect authorization vulnerability (CWE-863) in the authentication mechanism of FortiIsolator. The affected versions include 2.4.0 through 2.4.4, all versions of 2.3, 2.2.0, all versions of 2.1, and all versions of 2.0. The vulnerability carries a CVSS v3.1 base score of 7.4 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H.
A remote unauthenticated attacker can exploit this to deauthenticate currently logged-in administrators by sending a crafted cookie. Separately, a remote authenticated attacker with read-only privileges can leverage a crafted cookie to gain elevated write privileges.
Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-062.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables forging crafted cookies for admin deauthentication (session manipulation akin to forging web credentials) and privilege escalation from read-only to write access via authorization bypass; directly facilitates exploitation of remote service for priv esc.