CVE-2024-27779

MEDIUM

FortiSandbox <4.4.4 - Info Disclosure

Title source: llm

Description

An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted.

References (1)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-035

Scores

CVSS v3 6.7

EPSS 0.0014

EPSS Percentile 33.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-613

Status published

Products (2)

fortinet/fortiisolator 1.2.0 - 2.4.5

fortinet/fortisandbox 3.2.0 - 4.2.7

Published Jul 18, 2025

Tracked Since Feb 18, 2026