CVE-2022-45862: 
FortiOS vulnerability analysis and mitigation

CVE-2022-45862 is an insufficient session expiration vulnerability [CWE-613] affecting the graphical user interface (GUI) of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The vulnerability was discovered internally by Goutham Rukmasah from Fortinet's FortiGuard Labs and was initially published on August 13, 2024. This vulnerability has been assigned a CVSSv3 score of 3.5, indicating a low severity level (Fortiguard PSIRT).

The vulnerability stems from improper access control in the GUI console WebSockets implementation. The core issue is that WebSocket connections do not properly terminate when users log out of the GUI interface. This implementation flaw could potentially allow attackers to reuse web sessions after a user has logged out of the GUI, provided they have acquired the necessary credentials (Cybersecurity News).

The primary impact of this vulnerability is improper access control, which could allow unauthorized access to the affected systems. If exploited, attackers who have obtained the required credentials could potentially reuse web sessions even after legitimate users have logged out of the GUI interface (Fortiguard PSIRT).

Fortinet has released patches and provided specific upgrade paths for affected products. For FortiOS 7.2.0 through 7.2.5, users should upgrade to version 7.2.6 or above. FortiOS 7.0 and 6.4 users need to migrate to a fixed release. FortiProxy 7.2 and 7.0 users should migrate to a fixed release. FortiSwitchManager 7.2.0 through 7.2.1 users should upgrade to version 7.2.2 or above. FortiPAM users on versions 1.0 through 1.3 should migrate to a fixed release. Users can follow the recommended upgrade path using Fortinet's upgrade tool (Fortiguard PSIRT).