Skip to main content

Rolantis Agentis CVE-2025-10228

HIGH
Session Fixation (CWE-384)
2025-10-14 iletisim@usom.gov.tr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 11:30 vuln.today

DescriptionCVE.org

Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.

This issue affects Agentis: before 4.44.

AnalysisAI

Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

Agentis is a Turkish enterprise/agency management platform published by Rolantis Information Technologies, and the flaw is a classic CWE-384 Session Fixation: the application accepts a pre-existing session identifier (typically delivered via URL parameter or cookie before login) and continues to honor that same identifier after the victim authenticates, instead of issuing a fresh, unpredictable session ID at the privilege boundary. Because the session token is the sole binding between the browser and the authenticated principal, an attacker who knows the fixated value inherits the victim's authorization context once login completes. The CWE-384 root cause is failure to invoke session regeneration on authentication, a well-understood web-application defect.

Affected ProductsAI

Rolantis Information Technologies Agentis at all versions prior to 4.44 is affected; version 4.44 is the fixed baseline. No CPE strings were provided in the input data to narrow product editions or deployment modes, and no vendor advisory URL is included in the references - the only linked sources are the Turkish national CERT bulletins at https://www.usom.gov.tr/bildirim/tr-25-0336 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0336, which should be consulted for the authoritative product/edition list.

RemediationAI

Vendor-released patch: Agentis 4.44 - upgrade all instances to 4.44 or later as the primary fix, per the Turkish CERT advisories at https://www.usom.gov.tr/bildirim/tr-25-0336 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0336. If immediate upgrade is not possible, compensating controls include forcing a fresh session cookie issuance at the reverse proxy or WAF on every successful login response (rewrite or strip pre-existing session cookies on the login endpoint), refusing session identifiers passed via URL query string (block requests containing the session parameter in the query, accepting only cookie-borne tokens), and shortening session cookie lifetime with the HttpOnly, Secure, and SameSite=Strict attributes to shrink the fixation window - note that strict SameSite can break legitimate cross-site SSO flows and proxy-level cookie rewriting can desynchronize sticky-session load balancers, so test before broad rollout. User-awareness controls (warn users not to follow login links from untrusted sources) reduce but do not eliminate the UI:R precondition.

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2025-45953 CRITICAL POC
9.1 Apr 28

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user

CVE-2025-28238 CRITICAL
9.8 Apr 18

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers t

CVE-2026-41613 HIGH
8.8 May 12

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

CVE-2025-67446 CRITICAL
9.8 Jun 04

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticat

CVE-2026-2177 MEDIUM POC
5.5 Feb 08

SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2025-27661 CRITICAL
9.1 Mar 05

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixatio

CVE-2026-40010 CRITICAL
9.1 May 06

Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user session

CVE-2025-52557 HIGH
8.6 Jun 21

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthe

CVE-2025-0126 HIGH
8.3 Apr 11

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to imperson

Share

CVE-2025-10228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy