CVE-2025-62631

CWE-613 — Insufficient Session Expiration5 documents5 sources

Severity

5.6MEDIUM

EPSS

0.0%

top 94.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios

Timeline

PublishedDec 9

Description

An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages2 packages

▶NVDfortinet/fortios6.4.0 — 7.4.1

▶CVEListV5fortinet/fortios7.2.0 — 7.2.11+3

🔴Vulnerability Details

CVEList

CVE-2025-62631: An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7↗2025-12-09

▶

GHSA

GHSA-chj4-wrc6-847j: An insufficient session expiration vulnerability [CWE-613] in Fortinet FortiOS 7↗2025-12-09

▶

📋Vendor Advisories

Fortinet

Insufficient Session Expiration in SSLVPN↗2025-12-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-62631 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶