CVE-2025-62631 is an improper access control vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting multiple versions of Fortinet's FortiOS (6.4.0, 7.0.0, 7.2.0, and 7.4.0). The vulnerability arises because SSLVPN sessions remain active and valid even after a user changes their password, under certain conditions that are outside the attacker’s control. This means that if an attacker has established an SSLVPN session prior to the password change, they can continue to access network resources without re-authenticating, effectively bypassing the intended session termination mechanism. The vulnerability does not require the attacker to authenticate or interact with the user, but does require network access to the SSLVPN service. The CVSS v3.1 score of 5.3 (medium severity) reflects that the attack vector is network-based with high attack complexity, no privileges required, and no user interaction needed. The impact affects confidentiality, integrity, and availability to a limited extent, as unauthorized access can persist. No public exploits or active exploitation have been reported to date. The vulnerability highlights a session management flaw where session tokens or SSLVPN sessions are not invalidated promptly upon credential changes, allowing session hijacking or unauthorized persistence. Fortinet has not yet published patches or mitigation details, but organizations are advised to monitor for updates and review session management policies.

For European organizations, this vulnerability poses a risk of unauthorized persistent access to internal network resources via SSLVPN, potentially allowing attackers to bypass password change protections. This can lead to data exposure, unauthorized configuration changes, or disruption of services. Organizations relying heavily on Fortinet FortiOS for remote access, especially in sectors like finance, government, healthcare, and critical infrastructure, may face increased risk of lateral movement and prolonged compromise. The vulnerability undermines trust in password change procedures, complicating incident response and user account management. While no active exploitation is reported, the medium severity and network attack vector mean that attackers with prior access could maintain footholds undetected. This risk is heightened in environments with weak monitoring or where SSLVPN sessions are not routinely audited or terminated. The impact on confidentiality, integrity, and availability is moderate but significant enough to warrant prompt attention.

1. Monitor Fortinet’s official channels closely for patches addressing CVE-2025-62631 and apply them immediately upon release. 2. Implement strict session timeout policies and enforce automatic termination of SSLVPN sessions upon password changes or after a short period of inactivity. 3. Regularly audit active SSLVPN sessions to detect and terminate any stale or suspicious sessions. 4. Employ multi-factor authentication (MFA) on SSLVPN access to reduce risk of session hijacking. 5. Use network segmentation and least privilege principles to limit the impact of any unauthorized session persistence. 6. Enhance logging and alerting on SSLVPN session activities to detect anomalies indicative of unauthorized access. 7. Educate users and administrators about the importance of logging out from VPN sessions before password changes. 8. Consider deploying additional endpoint security controls to detect and block unauthorized lateral movement from compromised VPN sessions. 9. If possible, temporarily restrict SSLVPN access to trusted IP ranges until patches are applied. 10. Coordinate with Fortinet support for any interim workarounds or configuration changes that can mitigate session persistence risks.