CVE-2025-62631 is an improper access control vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting multiple versions of Fortinet FortiOS (6.4.0, 7.0.0, 7.2.0, and 7.4.0). The vulnerability stems from FortiOS's failure to terminate active SSLVPN sessions after a user changes their password, allowing an attacker who has established an SSLVPN session prior to the password change to maintain access to network resources. This scenario can occur under specific conditions that are outside the attacker’s control, indicating that the attacker does not need to manipulate the system actively after the password change to retain access. The vulnerability does not require authentication or user interaction from the attacker, but network access is necessary. The CVSS v3.1 score is 5.3 (medium), reflecting a network attack vector with high attack complexity and no privileges or user interaction required, resulting in limited confidentiality, integrity, and availability impacts. No public exploits are known at this time, and no patches have been linked yet. The vulnerability highlights a session management weakness where session tokens or SSLVPN connections are not invalidated promptly upon credential changes, potentially allowing unauthorized persistent access to sensitive network segments. This can be particularly problematic in environments relying heavily on FortiOS SSLVPN for secure remote access, as attackers could bypass password resets and maintain footholds within the network.

For European organizations, the vulnerability poses a risk of unauthorized persistent access to internal network resources via SSLVPN sessions that remain active after password changes. This undermines the effectiveness of password resets as a security control, potentially allowing attackers to maintain access even after credentials are changed. The impact on confidentiality includes exposure of sensitive data accessible through the VPN. Integrity and availability impacts are limited but possible if attackers leverage persistent access to conduct further malicious activities. Organizations with critical infrastructure, financial services, healthcare, and government sectors using FortiOS SSLVPN are particularly vulnerable. The medium severity indicates that while exploitation is not trivial, the potential for lateral movement and data exposure exists. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The vulnerability could also complicate incident response and recovery efforts by allowing attackers to persist undetected despite credential changes.

1. Monitor and audit active SSLVPN sessions regularly to detect stale or suspicious connections that persist beyond password changes. 2. Implement manual session termination policies immediately after password resets or suspected compromise events. 3. Enforce multi-factor authentication (MFA) on SSLVPN access to reduce the risk of unauthorized session establishment. 4. Restrict SSLVPN access to trusted networks or IP ranges where feasible to limit exposure. 5. Apply vendor patches promptly once Fortinet releases updates addressing this vulnerability. 6. Configure FortiOS to enforce session timeout and re-authentication policies aggressively. 7. Use network segmentation to minimize the impact of any unauthorized access gained through persistent sessions. 8. Educate users and administrators about the importance of session management and the risks of persistent sessions. 9. Employ intrusion detection systems (IDS) and endpoint detection and response (EDR) tools to identify anomalous VPN activity. 10. Coordinate with Fortinet support for any available workarounds or interim fixes until patches are released.