CVE-2025-25252 is a vulnerability identified in Fortinet FortiOS SSL VPN implementations across multiple versions from 6.4.0 up to 7.6.2. The root cause is insufficient session expiration controls, specifically related to SAML-based authentication sessions. When a user, such as an administrator, is removed from the system and their account is deleted, the associated SAML session token should be invalidated to prevent further access. However, due to improper access control and session management, an attacker in possession of a previously valid SAML session token can reuse this token to re-establish a session without needing to authenticate again. This scenario is particularly concerning if the attacker is a former admin or insider who retained a session token after account removal. The vulnerability does not require privileges or user interaction, but the attacker must have the SAML session record, which may be obtained through prior access or interception. The CVSS 3.1 score of 4.3 reflects a medium severity, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality and integrity by enabling unauthorized access to VPN-protected resources. There are no known public exploits or patches at the time of reporting, emphasizing the need for proactive mitigation. Fortinet FortiOS is widely deployed in enterprise and government environments for secure remote access, making this vulnerability relevant for organizations relying on FortiOS SSL VPN for remote connectivity.

For European organizations, this vulnerability poses a risk of unauthorized access to internal networks and sensitive data via compromised or reused VPN sessions. Attackers who can reuse SAML session tokens may bypass authentication controls, potentially leading to data breaches, lateral movement within networks, and disruption of secure remote access. Sectors such as finance, healthcare, government, and critical infrastructure, which heavily rely on VPNs for secure remote work, are particularly vulnerable. The risk is amplified in environments where session invalidation upon user removal is not rigorously enforced. Additionally, the presence of former employees or contractors with retained session tokens could facilitate insider threats. Although the CVSS score is medium, the potential for persistent unauthorized access without detection can have significant operational and reputational consequences. The lack of known exploits currently provides a window for mitigation, but organizations should act promptly to prevent exploitation.

1. Immediately invalidate all active sessions when user accounts are removed or privileges are changed, ensuring SAML session tokens cannot be reused. 2. Implement strict session timeout policies and enforce reauthentication for long-lived sessions. 3. Monitor VPN access logs for unusual session reuse patterns or anomalies indicative of session hijacking. 4. Upgrade FortiOS SSL VPN to the latest patched versions once available from Fortinet. 5. Employ multi-factor authentication (MFA) to add an additional layer of security beyond SAML tokens. 6. Conduct regular audits of user accounts and active sessions to detect and revoke orphaned or stale sessions. 7. Educate administrators and security teams about the risks of session reuse and the importance of session management hygiene. 8. Consider network segmentation and least privilege access to limit potential damage from compromised VPN sessions. 9. Use endpoint security solutions to detect and prevent unauthorized access attempts via VPN. 10. Engage with Fortinet support for guidance and monitor advisories for patches or workarounds.