CVE-2025-25252 — Insufficient Session Expiration in Fortinet Fortios

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

6.5MEDIUMNVD

CNA4.8

EPSS

0.0%

top 86.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios

Timeline

PublishedOct 14

Description

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶NVDfortinet/fortios6.4.0 — 7.0.17+3

▶CVEListV5fortinet/fortios7.6.0 — 7.6.2+4

🔴Vulnerability Details

CVEList

CVE-2025-25252: An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7↗2025-10-14

▶

GHSA

GHSA-8vxf-42v3-rc9p: An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7↗2025-10-14

▶

📋Vendor Advisories

Fortinet

Insufficient Session Expiration in SSLVPN using SAML authentication↗2025-10-14

▶