Cyber Resilience

CVE-2024-33507

High

Published: 14 October 2025

Published
14 October 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0010 26.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33507 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Fortinet Fortiisolator. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Cookies (T1606.001); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-33507 involves an insufficient session expiration vulnerability (CWE-613) and an incorrect authorization vulnerability (CWE-863) in the authentication mechanism of FortiIsolator. The affected versions include 2.4.0 through 2.4.4, all versions of 2.3, 2.2.0, all versions of 2.1, and all versions of 2.0. The vulnerability carries a CVSS v3.1 base score of 7.4 (High), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H.

A remote unauthenticated attacker can exploit this to deauthenticate currently logged-in administrators by sending a crafted cookie. Separately, a remote authenticated attacker with read-only privileges can leverage a crafted cookie to gain elevated write privileges.

Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-062.

EU & UK References

Vulnerability details

An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via…

more

crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability enables forging crafted cookies for admin deauthentication (session manipulation akin to forging web credentials) and privilege escalation from read-only to write access via authorization bypass; directly facilitates exploitation of remote service for priv esc.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55590Same product: Fortinet Fortiisolator
CVE-2024-40591Same vendor: Fortinet
CVE-2024-48885Same vendor: Fortinet
CVE-2024-45328Same vendor: Fortinet
CVE-2025-62676Same vendor: Fortinet
CVE-2025-64157Same vendor: Fortinet
CVE-2026-24018Same vendor: Fortinet
CVE-2024-35273Same vendor: Fortinet
CVE-2024-35275Same vendor: Fortinet
CVE-2025-48418Same vendor: Fortinet

Affected Assets

fortinet
fortiisolator
2.3.0 — 2.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses insufficient session expiration by requiring termination of sessions after defined conditions, preventing deauthentication attacks via crafted cookies.

prevent

Enforces approved access control policies to block incorrect authorization, mitigating privilege escalation from read-only to write via crafted cookies.

prevent

Requires secure management of authenticators including session cookies with expiration, protection from modification, and refresh, countering exploitation through crafted cookies.

References