CVE-2025-62631
📋 TL;DR
This CVE describes an insufficient session expiration vulnerability in Fortinet FortiOS where active SSLVPN sessions are not terminated after a user's password change under specific conditions. This allows attackers to maintain unauthorized access to network resources. Affected users include organizations running vulnerable FortiOS versions with SSLVPN enabled.
💻 Affected Systems
- Fortinet FortiOS
📦 What is this software?
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised credentials maintains persistent access to internal network resources even after password changes, potentially leading to data exfiltration, lateral movement, or further compromise.
Likely Case
Attackers maintain access to SSLVPN sessions for extended periods after legitimate password changes, allowing continued unauthorized network access.
If Mitigated
With proper monitoring and session management controls, impact is limited to temporary unauthorized access that can be detected and terminated.
🎯 Exploit Status
Exploitation requires existing compromised credentials and specific timing conditions during password changes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.4.1 or later, FortiOS 7.2.7 or later, FortiOS 7.0.14 or later, FortiOS 6.4.15 or later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-411
Restart Required: Yes
Instructions:
1. Download the appropriate patched version from Fortinet support portal. 2. Backup current configuration. 3. Apply the firmware update following Fortinet's upgrade procedures. 4. Reboot the device. 5. Verify the update was successful.
🔧 Temporary Workarounds
Force SSLVPN session termination on password change
allManually terminate all active SSLVPN sessions when user passwords are changed
diagnose vpn sslvpn list-sessions
diagnose vpn sslvpn terminate-session <session-id>
Reduce SSLVPN session timeout
allDecrease SSLVPN session idle and hard timeout values
config vpn ssl settings
set idle-timeout <minutes>
set tunnel-ip-pools <pool-name>
set tunnel-ipv6-pools <pool-name>
🧯 If You Can't Patch
- Implement strict monitoring of SSLVPN sessions and terminate suspicious sessions immediately
- Enforce mandatory password changes with simultaneous forced logout of all active sessions
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version with 'get system status' and compare against affected versions. Verify SSLVPN is enabled with 'show vpn ssl settings'.Check Version:
get system status | grep VersionVerify Fix Applied:
After patching, verify version is updated with 'get system status'. Test by changing a user password and confirming all SSLVPN sessions for that user are terminated.📡 Detection & Monitoring
Log Indicators:
- Multiple SSLVPN sessions from same user spanning password change events
- SSLVPN sessions with unusually long duration
- Failed password change events followed by continued SSLVPN access
Network Indicators:
- SSLVPN connections persisting after administrative password resets
- Unusual SSLVPN traffic patterns from previously compromised accounts
SIEM Query:
source="fortigate" (eventtype="vpn" OR eventtype="sslvpn") | stats count by user, session_duration | where session_duration > 24h