virus logo PSIRT

FortiOS - SSLVPN session hijacking using SAML authentication

Summary

A session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user session via a phishing SAML authentication link.

Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above
FortiOS 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 Not affected Not Applicable
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Timeline

2024-11-12: Initial publication
IR Number FG-IR-23-475
Published Date Nov 12, 2024
Component SSL-VPN
Severity High
CVSSv3 Score 7.1
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF

CSAF