CVE-2024-50562: 
FortiOS vulnerability analysis and mitigation

An Insufficient Session Expiration vulnerability (CVE-2024-50562) was identified in FortiOS SSL-VPN affecting multiple versions including FortiOS 7.6.0, versions 7.4.6 and below, versions 7.2.10 and below, all versions of 7.0 and 6.4, as well as FortiSASE 24.4.b. The vulnerability was disclosed on June 10, 2025, and is classified under CWE-613 (Insufficient Session Expiration) (Fortinet Advisory).

The vulnerability allows an attacker in possession of a cookie used to log in to the SSL-VPN portal to log in again, even though the session has expired or was logged out. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. It's important to note that tunnel mode is not affected by this vulnerability (Fortinet Advisory).

The vulnerability could lead to improper access control, potentially allowing unauthorized access to the SSL-VPN portal even after session expiration or logout. This could compromise the confidentiality and integrity of the system, though with limited impact as indicated by the CVSS score (Fortinet Advisory).

Fortinet has released fixes for affected versions. Users should upgrade FortiOS 7.6.0 to version 7.6.1 or above, FortiOS 7.4.0-7.4.7 to version 7.4.8 or above, and FortiOS 7.2.0-7.2.10 to version 7.2.11 or above. For FortiOS 7.0 and 6.4 (all versions), users should migrate to a fixed release. FortiSASE users should note that version 24.4.c contains the fix (Fortinet Advisory).

The vulnerability was responsibly disclosed by security researchers Vang3lis and Cyth from VARAS@IIE and Shahid Parvez Hakim, CEO & Founder of Bugb Technologies (bugb.io) (Fortinet Advisory).