CVE-2025-25252 is an Insufficient Session Expiration vulnerability (CWE-613) affecting Fortinet FortiOS SSL VPN versions 6.4 through 7.6.2. The flaw arises because the system fails to properly invalidate or expire SAML session tokens after user sessions end, including when an administrator account is removed and the session terminated. An attacker who has obtained a valid SAML session record from a terminated session can reuse this token to reopen the session remotely without needing to authenticate again. This improper access control allows unauthorized access to the VPN environment, potentially exposing internal network resources. The vulnerability spans multiple major FortiOS releases, indicating a systemic issue in session management. The CVSS 3.1 base score is 4.3, with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, and low confidentiality and integrity impact. No availability impact is noted. No public exploits have been reported yet, but the vulnerability could be exploited by former employees or attackers who have intercepted or retained session tokens. Fortinet has not yet published patches or mitigation guidance, so organizations must rely on compensating controls. The vulnerability highlights the critical importance of robust session invalidation mechanisms in VPN solutions, especially those using SAML authentication.

For European organizations, this vulnerability poses a risk of unauthorized access to internal networks via compromised or retained SAML session tokens. Attackers, including former employees or insiders, could regain access without re-authentication, potentially leading to data exposure or lateral movement within corporate networks. The impact on confidentiality and integrity is low to medium, as the attacker gains access equivalent to the original session user but cannot escalate privileges directly through this flaw. Availability is not affected. Organizations relying heavily on FortiOS SSL VPN for remote access, especially in sectors like finance, government, healthcare, and critical infrastructure, could face targeted exploitation attempts. The risk is heightened in environments where session tokens are not adequately protected or where session termination processes are not strictly enforced. The lack of known exploits reduces immediate threat but does not eliminate future risk, especially given the widespread use of Fortinet products in Europe.

1. Immediately review and enforce strict session termination policies, ensuring that all user sessions, especially those of removed or former employees, are fully invalidated at the VPN and identity provider levels. 2. Implement short session lifetimes and frequent re-authentication requirements for VPN access to limit token reuse windows. 3. Monitor VPN logs for unusual session reactivations or repeated use of the same SAML tokens. 4. Restrict access to SAML session tokens and secure identity provider configurations to prevent token theft or leakage. 5. Where possible, deploy multi-factor authentication (MFA) that requires fresh authentication rather than relying solely on session tokens. 6. Apply network segmentation to limit the impact of unauthorized VPN access. 7. Stay alert for Fortinet security advisories and apply patches promptly once available. 8. Conduct regular audits of active sessions and user account statuses to detect anomalies. 9. Educate administrators on the importance of session management hygiene and immediate revocation of access upon employee departure. 10. Consider deploying additional endpoint security controls to detect and block unauthorized VPN access attempts.