PSIRT

Improper session handling during authentication

Summary

An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in the FortiIsolator authentication mechanism may allow a remote unauthenticated attacker to deauthenticate logged in admins via a crafted cookie and a remote authenticated read-only attacker to gain write privilege via a crafted cookie.

Version	Affected	Solution
FortiIsolator 3.0	Not affected	Not Applicable
FortiIsolator 2.4	2.4.0 through 2.4.4	Upgrade to 2.4.5 or above
FortiIsolator 2.3	2.3 all versions	Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Leslie Zhou of Fortinet Vulnerability Research team.

Timeline

2025-10-14: Initial publication

IR Number	FG-IR-24-062
Published Date	Oct 14, 2025
Component	GUI
Severity	High
CVSSv3 Score	7.0
Impact	Denial of service
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Improper session handling during authentication

Summary

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Improper session handling during authentication

Summary

Acknowledgement

Timeline

Threat Intelligence
Center