CVE-2025-62631 is a vulnerability in Fortinet FortiOS affecting versions 6.4.0, 7.0.0, 7.2.0, and 7.4.0. It stems from improper access control related to session management, specifically insufficient session expiration (CWE-613). When a user changes their password, the system is expected to terminate all active sessions to prevent unauthorized access. However, due to this flaw, an attacker who has an active SSLVPN session prior to the password change can maintain access to network resources because the session remains valid and is not invalidated as expected. This condition occurs under particular circumstances that are outside the attacker’s direct control, indicating some environmental or configuration dependencies. The vulnerability does not require privileges or user interaction, but the attack complexity is high, meaning exploitation is not trivial. The CVSS 3.1 score of 5.3 reflects limited impact on confidentiality, integrity, and availability, but the persistence of unauthorized access can lead to further exploitation or data exposure. No public exploits or active exploitation have been reported yet. Fortinet has not yet published patches, so organizations must rely on compensating controls. This vulnerability is significant for environments relying on FortiOS SSLVPN for remote access, as it undermines the security benefits of password changes and session invalidation policies.

For European organizations, this vulnerability poses a risk of unauthorized persistent access to internal networks via SSLVPN sessions that should have been terminated after password changes. This can lead to prolonged exposure of sensitive data, potential lateral movement within networks, and increased risk of further compromise. Critical sectors such as finance, government, healthcare, and energy that rely heavily on Fortinet FortiOS for secure remote access could face operational disruptions and data breaches. The medium severity rating indicates that while immediate catastrophic impacts are unlikely, the persistence of unauthorized sessions can facilitate more severe attacks if combined with other vulnerabilities or insider threats. The lack of required privileges or user interaction lowers the barrier for attackers who have already established sessions, emphasizing the need for robust session management. European organizations with large remote workforces or those implementing strict password policies may find this vulnerability undermines their security posture by allowing attackers to bypass session termination controls.

Organizations should immediately audit and monitor active SSLVPN sessions on FortiOS devices to detect any sessions that persist beyond password changes. Implement manual session termination policies upon password resets as a temporary measure until patches are available. Fortinet customers should prioritize upgrading to patched versions once released. In the interim, consider enforcing multi-factor authentication (MFA) to reduce the risk of session hijacking and unauthorized access. Network segmentation and strict access controls can limit the impact of any persistent sessions. Regularly review VPN logs for unusual activity and implement anomaly detection to identify suspicious session persistence. Additionally, educate users and administrators about the importance of logging out of VPN sessions before password changes. Coordinate with Fortinet support for guidance and monitor official advisories for updates and patches. Avoid relying solely on password changes to terminate sessions and consider integrating session management tools that enforce session expiration policies.