CVE-2025-25252 is a vulnerability in Fortinet FortiOS SSL VPN implementations across multiple versions (6.4.0, 7.0.0 through 7.0.16, 7.2.0 through 7.2.10, 7.4.0 through 7.4.6, and 7.6.0 through 7.6.2). The flaw stems from insufficient session expiration controls (CWE-613), specifically in the handling of SAML authentication records. When a user session is terminated or the user account is removed, the associated SAML session token should be invalidated to prevent reuse. However, due to improper access control, an attacker who has obtained a valid SAML record from a previous session can reuse this token to reopen or access the session remotely without needing to authenticate again or interact with the user. This scenario could occur if a former administrator or user’s session token was captured or retained. The vulnerability does not affect availability but impacts confidentiality and integrity by allowing unauthorized access to potentially sensitive VPN sessions. The CVSS 3.1 score of 4.3 reflects a medium severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and partial confidentiality and integrity impact. No known exploits are currently reported in the wild. The vulnerability affects a broad range of FortiOS versions, indicating a long-standing issue in session management. Fortinet has not yet published patches or mitigation details at the time of this report.

For European organizations, this vulnerability poses a risk of unauthorized access to internal networks via compromised or reused VPN sessions. Attackers with access to a valid SAML session token can bypass authentication controls, potentially gaining access to sensitive corporate resources, confidential data, and internal systems. This could lead to data breaches, espionage, or lateral movement within networks. The impact is particularly significant for organizations relying heavily on Fortinet FortiOS SSL VPN for remote access, including government agencies, financial institutions, healthcare providers, and critical infrastructure operators. The medium severity rating suggests limited direct damage but a meaningful risk of confidentiality and integrity compromise. Since no user interaction or authentication is required, the attack surface includes any exposed VPN endpoints. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop methods to capture or steal SAML tokens. European organizations with stringent data protection regulations (e.g., GDPR) must consider the compliance implications of unauthorized access incidents stemming from this vulnerability.

1. Immediately audit and monitor VPN session logs for unusual session reuse or anomalies indicating token replay. 2. Enforce strict session timeout policies and ensure sessions are invalidated upon user logout or account removal. 3. Implement multi-factor authentication (MFA) for VPN access to reduce risk from stolen tokens. 4. Restrict access to SAML tokens and ensure secure storage and transmission to prevent interception. 5. Apply network segmentation to limit the impact of compromised VPN sessions. 6. Stay alert for official Fortinet patches or advisories and prioritize timely deployment once available. 7. Consider deploying additional endpoint security controls to detect unauthorized access attempts. 8. Educate administrators and users about secure session handling and the risks of token reuse. 9. If possible, rotate or revoke SAML tokens periodically to minimize token lifetime. 10. Coordinate with Fortinet support for guidance and potential workarounds until patches are released.