CVE-2024-50562 is a vulnerability identified in Fortinet's FortiOS SSL-VPN implementations across multiple versions, including 6.4.x, 7.0.x, 7.2.x, 7.4.x, and 7.6.0. The core issue is an Insufficient Session Expiration flaw (CWE-613) where session cookies used for authentication to the SSL-VPN portal do not properly expire upon logout or session timeout. This allows an attacker who has obtained a valid session cookie to reuse it to log back into the SSL-VPN portal even after the legitimate session has ended. The vulnerability affects the SSL-VPN portal component, which is critical for remote access to internal networks. The CVSS v3.1 base score is 4.4 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), but has high attack complexity (AC:H). The impact is limited to partial confidentiality and integrity compromise (C:L/I:L/A:N), with no availability impact. No known exploits are currently reported in the wild. The vulnerability is present in widely deployed FortiOS versions, which are commonly used by enterprises and service providers for secure remote access. The improper session expiration could allow attackers to bypass session termination controls, potentially enabling unauthorized access to internal resources if session cookies are leaked or stolen through other means such as network interception, endpoint compromise, or social engineering.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of remote access sessions, which are critical for secure teleworking and access to corporate networks. An attacker exploiting this flaw could regain access to an SSL-VPN portal without valid credentials if they have obtained a session cookie, potentially leading to unauthorized data access or lateral movement within the network. This risk is heightened in sectors with high remote access usage, such as finance, healthcare, and government. Although the vulnerability does not directly allow privilege escalation or denial of service, the ability to reuse expired sessions undermines session management security and could facilitate further attacks. Given the widespread adoption of Fortinet FortiOS in Europe, especially among enterprises and managed service providers, the vulnerability could impact a broad range of organizations. The medium CVSS score reflects moderate risk, but the actual impact depends on the attacker's ability to obtain session cookies, which may require additional compromise steps. Nonetheless, the vulnerability weakens the security posture of SSL-VPN deployments and could be leveraged as part of multi-stage attacks.

Organizations should prioritize updating FortiOS to the latest patched versions once Fortinet releases fixes addressing CVE-2024-50562. In the interim, administrators should implement compensating controls such as enforcing strict session timeout policies, enabling multi-factor authentication (MFA) on SSL-VPN portals to reduce the risk of session cookie misuse, and monitoring for anomalous login activity indicative of session reuse. Network segmentation and limiting SSL-VPN access to trusted IP ranges can reduce exposure. Additionally, organizations should ensure secure handling of session cookies by enforcing HTTPS with strong TLS configurations to prevent interception. Regularly auditing and revoking stale or inactive sessions can help mitigate risks. Endpoint security measures to prevent malware or credential theft are also critical to reduce the likelihood of session cookie compromise. Finally, security teams should monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.