Main Vulnerability Database Vulnerabilities #VU119429

Insufficient Session Expiration in FortiOS - CVE-2025-62631

Published: December 9, 2025

Vulnerability identifier: #VU119429

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-62631

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Fortinet, Inc

Affected software:
FortiOS

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to insufficient session expiration in SSLVPN. An attacker can maintain access to network resources via an active session not terminated after a user's password change under particular conditions outside of the attacker's control.

How to mitigate CVE-2025-62631

Install update from vendor's website.

Sources

https://www.fortiguard.com/psirt/FG-IR-25-411

Insufficient Session Expiration in FortiOS - CVE-2025-62631

Detailed vulnerability description

How to mitigate CVE-2025-62631

Sources

Please verify you're human