Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-50562
CVE-2024-50562:
FortiOS vulnerability analysis and mitigation
Overview
An Insufficient Session Expiration vulnerability (CVE-2024-50562) was identified in FortiOS SSL-VPN affecting multiple versions including FortiOS 7.6.0, versions 7.4.0-7.4.7, versions 7.2.0-7.2.10, all versions of 7.0 and 6.4, as well as FortiSASE 24.4.b. The vulnerability was disclosed on June 10, 2025, and is classified under CWE-613 (Insufficient Session Expiration). This vulnerability allows an attacker in possession of a cookie used to log in to the SSL-VPN portal to log in again, even though the session has expired or was logged out (Fortinet Advisory, NVD Entry).
Technical details
The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. It specifically affects the SSL-VPN component of FortiOS and related products. It's important to note that tunnel mode is not affected by this vulnerability (Fortinet Advisory, Wiz Analysis).
Impact
The vulnerability could lead to improper access control, potentially allowing unauthorized access to the SSL-VPN portal even after session expiration or logout. This could compromise the confidentiality and integrity of the system, though with limited impact as indicated by the CVSS score (Fortinet Advisory).
Mitigation and workarounds
Fortinet has released fixes for affected versions. Users should upgrade FortiOS 7.6.0 to version 7.6.1 or above, FortiOS 7.4.0-7.4.7 to version 7.4.8 or above, and FortiOS 7.2.0-7.2.10 to version 7.2.11 or above. For FortiOS 7.0 and 6.4 (all versions), users should migrate to a fixed release. FortiSASE users should note that version 24.4.c contains the fix. Users can follow the recommended upgrade path using Fortinet's upgrade tool (Fortinet Advisory).
Community reactions
The vulnerability was responsibly disclosed by security researchers Vang3lis and Cyth from VARAS@IIE and Shahid Parvez Hakim, CEO & Founder of Bugb Technologies (bugb.io). Given Fortinet's history with SSL-VPN exploits, including recent critical vulnerabilities, organizations are advised to prioritize patching these issues (Cybersecurity News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management