CVE-2021-24019

HIGH

Fortinet Forticlient Endpoint Managem... - Insufficient Session Expiration

Title source: rule

Description

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Exploits (1)

nomisec SCANNER 2 stars

by chessredoffsec · poc

https://github.com/chessredoffsec/CVE-2021-24019

View Code ZIP pw:eip

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://fortiguard.com/advisory/FG-IR-20-072

Scores

CVSS v3 8.1

EPSS 0.1519

EPSS Percentile 94.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-613

Status published

Products (1)

fortinet/forticlient_endpoint_management_server < 6.2.9

Published Oct 06, 2021

Tracked Since Feb 18, 2026