FortiOS - Existing websocket connection persists after deleting API admin


An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to keep a secure websocket session active after user deletion.



Restrict hosts that can connect to the websocket to trusted ones only, with the trusted host feature.

Version Affected Solution
FortiOS 7.4 Not affected Upgrade to 7.4.0 or above
FortiOS 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiOS 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above
Follow the recommended upgrade path using our tool at:


Internally discovered and reported by Yi Liu of Fortinet Test team.


2023-07-01: Initial publication