An issue in runZero Platform prevents inactivity timeouts from functioning when the page automatically reloads, creating a situation where authenticated sessions can remain active indefinitely. This flaw, documented as CWE‑613, means a user who has logged in can continue to operate as if they were still within a session that should have expired, allowing potential unauthorized actions during what should be a protected downtime. The vulnerability has a CVSS 3.1 score of 5.9, classifying it as medium severity. The specified impact involves loss of confidentiality and integrity of data accessed through the continued session, and a denial of the intended isolation of idle users.

All runZero Platform installations running any version older than 4.0.260203.0 are susceptible. The vendor has released a fix in version 4.0.260203.0 that addresses the automatic reload logic preventing timeout enforcement.

The CVSS score of 5.9 indicates moderate risk, and because no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, there is no evidence of widespread exploitation. The most likely attack scenario involves an attacker who already holds an authenticated session or can force a page reload to keep the session alive; a public exploit is not documented. Administrators should consider the risk as significant for systems that allow prolonged idle sessions, particularly in environments where user actions could be critical or sensitive. Prompt remediation reduces the window for any potential misuse.