PSIRT

Insufficient Session Expiration in SSL-VPN cookie

Summary

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Version	Affected	Solution
FortiOS 7.6	7.6.0	Upgrade to 7.6.1 or above
FortiOS 7.4	7.4.0 through 7.4.7	Upgrade to 7.4.8 or above
FortiOS 7.2	7.2.0 through 7.2.10	Upgrade to 7.2.11 or above
FortiOS 7.0	7.0 all versions	Migrate to a fixed release
FortiOS 6.4	6.4 all versions	Migrate to a fixed release
FortiSASE 24.4	24.4.b	Fortinet remediated this issue in 24.4.c and hence customers do not need to perform any action.
FortiSASE 23.3	Not affected	Not Applicable
FortiSASE 23.2	Not affected	Not Applicable
FortiSASE 23.1	Not affected	Not Applicable
FortiSASE 22.4	Not affected	Not Applicable

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Tunnel mode is not affected by this vulnerability

Acknowledgement

Fortinet is pleased to thank Vang3lis and Cyth from VARAS@IIE and Shahid Parvez Hakim CEO & Founder of Bugb Technologies (bugb.io) for reporting this vulnerability under responsible disclosure.

Timeline

2025-06-10: Initial publication

IR Number	FG-IR-24-339
Published Date	Jun 10, 2025
Component	SSL-VPN
Severity	Medium
CVSSv3 Score	4.4
Impact	Improper access control
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Insufficient Session Expiration in SSL-VPN cookie

Summary

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Insufficient Session Expiration in SSL-VPN cookie

Summary

Acknowledgement

Timeline

Threat Intelligence
Center