CVE-2025-25252 Overview
CVE-2025-25252 is an Insufficient Session Expiration vulnerability [CWE-613] affecting FortiOS SSL VPN. The flaw allows a remote attacker who possesses the Security Assertion Markup Language (SAML) record of a user session to re-open or access that session. Exploitation is possible even after the associated account has been removed and the session terminated. A former administrator, for example, could reuse a captured SAML record to regain access to the SSL VPN.
The vulnerability affects FortiOS SSL VPN versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, and all 6.4 releases.
Critical Impact
Attackers holding a captured SAML record can re-open terminated SSL VPN sessions, bypassing account removal and session teardown controls.
Affected Products
- FortiOS SSL VPN 7.6.0 through 7.6.2
- FortiOS SSL VPN 7.4.0 through 7.4.6, 7.2.0 through 7.2.10
- FortiOS SSL VPN 7.0.0 through 7.0.16 and all 6.4 versions
Discovery Timeline
- 2025-10-14 - CVE-2025-25252 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-25252
Vulnerability Analysis
The vulnerability resides in how FortiOS SSL VPN handles SAML-based authentication artifacts. When a user authenticates via SAML, FortiOS stores a session record tied to that authentication event. FortiOS fails to fully invalidate the SAML record when the session is terminated or the corresponding user account is deleted.
An attacker who obtains the SAML record for a previously valid session can replay it against the SSL VPN endpoint. The device accepts the record and either re-opens the terminated session or grants access to it. This defeats standard session lifecycle controls that administrators rely on to revoke user access.
Root Cause
The root cause is insufficient session expiration logic, as classified under [CWE-613]. FortiOS does not tie SAML record validity to the current state of the associated user account or the session termination event. As a result, session state is effectively reconstructible from a captured SAML artifact after revocation should have occurred.
Attack Vector
The attack is network-based and requires no user interaction. The prerequisite is possession of a legitimate SAML record for a prior authenticated session. This scenario is most realistic for insider threats such as a former administrator who exported or retained SAML material before their account was disabled. External attackers who intercepted or extracted a SAML record from logs, browser storage, or a compromised host could also leverage this flaw.
No verified proof-of-concept code is publicly available. The vulnerability is described in prose only; see the Fortinet Security Advisory FG-IR-24-487 for vendor technical details.
Detection Methods for CVE-2025-25252
Indicators of Compromise
- SSL VPN sessions established for user accounts that have been removed or disabled in the identity provider.
- SAML authentication events replayed from IP addresses or geolocations that differ from the original session origin.
- Repeated SSL VPN logins tied to the same SAML NameID after an administrative session termination event.
Detection Strategies
- Correlate FortiOS SSL VPN authentication logs with identity provider account lifecycle events to identify logins by deprovisioned users.
- Alert on SAML assertion reuse patterns, including identical AssertionID values or unexpected reauthentication timing.
- Baseline typical VPN session durations and flag sessions that resume after an explicit logout or session-kill event.
Monitoring Recommendations
- Forward FortiOS sslvpn and event logs to a centralized SIEM for correlation with identity provider audit trails.
- Monitor for administrative actions that remove accounts and verify that all active sessions for those accounts are terminated.
- Track SAML issuance and consumption records to detect assertions used beyond their intended single-session lifetime.
How to Mitigate CVE-2025-25252
Immediate Actions Required
- Upgrade FortiOS to a fixed release as listed in Fortinet Security Advisory FG-IR-24-487.
- Force reauthentication of all SSL VPN users and invalidate existing SAML sessions after upgrading.
- Audit former administrator and privileged accounts to confirm no residual SSL VPN access exists.
Patch Information
Fortinet has published upgrade paths in advisory FG-IR-24-487. Administrators running FortiOS 7.6.x, 7.4.x, 7.2.x, 7.0.x, or 6.4 should consult the advisory to identify the corresponding fixed build for their branch and apply it. FortiOS 6.4 is affected in all versions; migration to a supported branch is required.
Workarounds
- Restrict SSL VPN access to trusted source networks using firewall policies until patches are applied.
- Enforce short SAML assertion lifetimes and configure the identity provider to reject reused assertions.
- Require multi-factor authentication (MFA) at the identity provider so that a captured SAML record alone is insufficient for future access.
# Example: restrict SSL VPN portal to trusted networks in FortiOS CLI
config vpn ssl settings
set source-address trusted_admin_subnet
set source-address-negate disable
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

