Unrated severityNVD Advisory· Published Jul 18, 2025· Updated Feb 26, 2026

CVE-2024-27779

Description

An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted.

Affected products

Fortinet/FortiIsolatorv5
cpe:2.3:a:fortinet:fortiisolator:2.4.4:*:*:*:*:*:*:*
Range: 2.4.0
Fortinet/Fortisandboxv5
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
Range: 4.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.fortinet.com/psirt/FG-IR-24-035mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000