CVE-2024-50562

Published: Jun 10, 2025Modified: Jul 25, 2025

4.8

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.2 / Impact: 2.5

Source: psirt@fortinet.com (Secondary)

Description

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Affected (4)

Products: Fortinet: Fortios, Fortisase

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.4.0 to 7.2.11
Fortinet Fortios	From 7.4.0 to 7.4.8
Fortinet Fortios	Version 7.6.0
Fortinet Fortisase	Version 24.4.60

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-339

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.