Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-50562

CWE-613Insufficient Session Expiration5 documents5 sources
Severity
4.8MEDIUM
EPSS
0.8%
top 26.71%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Fortinet FortiosFortinet FortipamFortinet Fortiproxy+1 more
Timeline
PublishedJun 10
Latest updateJun 20

Description

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages5 packages

NVDfortinet/fortios6.4.07.2.11+2
CVEListV5fortinet/fortios7.4.07.4.4+5
CVEListV5fortinet/fortipam1.4.01.4.1+4
CVEListV5fortinet/fortiproxy7.4.07.4.5+4
NVDfortinet/fortisase24.4.60

🔴Vulnerability Details

2
CVEList
CVE-2024-50562: An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 72025-06-10
GHSA
GHSA-3vr5-764g-c3pw: An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 72025-06-10

💥Exploits & PoCs

1
Exploit-DB
FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse2025-06-20

📋Vendor Advisories

1
Fortinet
Insufficient Session Expiration in SSL-VPN cookie2025-06-10
CVE-2024-50562 (MEDIUM CVSS 4.8) | An Insufficient Session Expiration | cvebase.io