CVE-2025-25252
📋 TL;DR
This vulnerability allows attackers with access to SAML session records to re-open terminated sessions, potentially regaining access to FortiOS SSL VPN. Affected systems include FortiOS SSL VPN versions 7.6.0-7.6.2, 7.4.0-7.4.6, 7.2.0-7.2.10, 7.0.0-7.0.16, and all 6.4 versions. This primarily impacts organizations using Fortinet SSL VPN with SAML authentication.
💻 Affected Systems
- FortiOS SSL VPN
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Former administrators or terminated users regain privileged access to VPN sessions, potentially leading to unauthorized network access, data exfiltration, or lateral movement.
Likely Case
Terminated users with preserved SAML records regain limited access to their previous VPN sessions, potentially accessing internal resources they should no longer have permission to use.
If Mitigated
With proper session monitoring and access controls, impact is limited to temporary unauthorized access that can be quickly detected and terminated.
🎯 Exploit Status
Requires possession of SAML session records from terminated sessions. Attackers need to be former users with preserved session data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.6.3, 7.4.7, 7.2.11, 7.0.17, and later versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-487
Restart Required: No
Instructions:
1. Download the appropriate FortiOS patch version from Fortinet support portal. 2. Apply the patch through FortiOS web interface or CLI. 3. Verify the update was successful by checking the version number.
🔧 Temporary Workarounds
Disable SAML authentication
allTemporarily switch to alternative authentication methods until patching is complete
config user saml
edit [saml-server-name]
set status disable
end
Reduce session timeout
allDecrease SSL VPN session timeout to limit exposure window
config vpn ssl settings
set idle-timeout 300
end
🧯 If You Can't Patch
- Implement strict session monitoring and alerting for unusual session re-establishment
- Enforce mandatory session termination procedures when users leave the organization
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version with 'get system status' and verify if using SAML authentication for SSL VPNCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify FortiOS version is 7.6.3, 7.4.7, 7.2.11, 7.0.17 or later with 'get system status'📡 Detection & Monitoring
Log Indicators:
- Multiple session re-establishment attempts from same user
- Session creation after account termination
- Unusual SAML authentication patterns
Network Indicators:
- Unexpected VPN connections from terminated users
- SAML authentication anomalies
SIEM Query:
source="fortigate" AND (event_type="vpn" OR auth_method="saml") AND (user_status="terminated" OR session_reuse="true")