Rolantis Agentis CVE-2025-10228
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.
This issue affects Agentis: before 4.44.
AnalysisAI
Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the application fails to regenerate session identifiers across authentication state changes, letting a remote attacker who can lure a victim into using an attacker-supplied session token take over the authenticated session. CVSS 8.8 reflects full confidentiality, integrity, and availability impact once hijacked, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Technical ContextAI
Agentis is a Turkish enterprise/agency management platform published by Rolantis Information Technologies, and the flaw is a classic CWE-384 Session Fixation: the application accepts a pre-existing session identifier (typically delivered via URL parameter or cookie before login) and continues to honor that same identifier after the victim authenticates, instead of issuing a fresh, unpredictable session ID at the privilege boundary. Because the session token is the sole binding between the browser and the authenticated principal, an attacker who knows the fixated value inherits the victim's authorization context once login completes. The CWE-384 root cause is failure to invoke session regeneration on authentication, a well-understood web-application defect.
Affected ProductsAI
Rolantis Information Technologies Agentis at all versions prior to 4.44 is affected; version 4.44 is the fixed baseline. No CPE strings were provided in the input data to narrow product editions or deployment modes, and no vendor advisory URL is included in the references - the only linked sources are the Turkish national CERT bulletins at https://www.usom.gov.tr/bildirim/tr-25-0336 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0336, which should be consulted for the authoritative product/edition list.
RemediationAI
Vendor-released patch: Agentis 4.44 - upgrade all instances to 4.44 or later as the primary fix, per the Turkish CERT advisories at https://www.usom.gov.tr/bildirim/tr-25-0336 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0336. If immediate upgrade is not possible, compensating controls include forcing a fresh session cookie issuance at the reverse proxy or WAF on every successful login response (rewrite or strip pre-existing session cookies on the login endpoint), refusing session identifiers passed via URL query string (block requests containing the session parameter in the query, accepting only cookie-borne tokens), and shortening session cookie lifetime with the HttpOnly, Secure, and SameSite=Strict attributes to shrink the fixation window - note that strict SameSite can break legitimate cross-site SSO flows and proxy-level cookie rewriting can desynchronize sticky-session load balancers, so test before broad rollout. User-awareness controls (warn users not to follow login links from untrusted sources) reduce but do not eliminate the UI:R precondition.
More in Session Fixation
View allImproper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers t
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticat
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixatio
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user session
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthe
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to imperson
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today