CVE-2024-33507
Published: 14 October 2025
Summary
CVE-2024-33507 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Fortinet Fortiisolator. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Cookies (T1606.001); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses insufficient session expiration by requiring termination of sessions after defined conditions, preventing deauthentication attacks via crafted cookies.
Enforces approved access control policies to block incorrect authorization, mitigating privilege escalation from read-only to write via crafted cookies.
Requires secure management of authenticators including session cookies with expiration, protection from modification, and refresh, countering exploitation through crafted cookies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables forging crafted cookies for admin deauthentication (session manipulation akin to forging web credentials) and privilege escalation from read-only to write access via authorization bypass; directly facilitates exploitation of remote service for priv esc.
NVD Description
An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via…
more
crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.
Deeper analysisAI
CVE-2024-33507 involves an insufficient session expiration vulnerability (CWE-613) and an incorrect authorization vulnerability (CWE-863) in the authentication mechanism of FortiIsolator. The affected versions include 2.4.0 through 2.4.4, all versions of 2.3, 2.2.0, all versions of 2.1, and all versions of 2.0. The vulnerability carries a CVSS v3.1 base score of 7.4 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H.
A remote unauthenticated attacker can exploit this to deauthenticate currently logged-in administrators by sending a crafted cookie. Separately, a remote authenticated attacker with read-only privileges can leverage a crafted cookie to gain elevated write privileges.
Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-062.
Details
- CWE(s)