Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62631

CVE-2025-62631: Fortinet FortiOS Auth Bypass Vulnerability

CVE-2025-62631 is an authentication bypass flaw in Fortinet FortiOS caused by insufficient session expiration. Attackers can maintain SSLVPN access after password changes. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-62631 Overview

CVE-2025-62631 is an insufficient session expiration vulnerability [CWE-613] affecting Fortinet FortiOS SSL VPN. The flaw allows an attacker holding an active SSL VPN session to maintain access to network resources after the associated user account changes its password. FortiOS fails to terminate existing SSL VPN sessions under certain conditions when the password rotation event occurs, breaking a core assumption of credential-based access revocation.

The vulnerability affects FortiOS 7.4.0, and all versions of FortiOS 7.2, 7.0, and 6.4. Exploitation requires that the attacker already possess a valid session, so the attack conditions sit outside of the attacker's direct control.

Critical Impact

Attackers with a hijacked or previously authorized SSL VPN session retain network access after the legitimate user's password is changed, undermining incident response containment actions.

Affected Products

  • Fortinet FortiOS 7.4.0
  • Fortinet FortiOS 7.2 (all versions)
  • Fortinet FortiOS 7.0 (all versions) and FortiOS 6.4 (all versions)

Discovery Timeline

  • 2025-12-09 - CVE-2025-62631 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62631

Vulnerability Analysis

The vulnerability resides in the SSL VPN session lifecycle management of FortiOS. When a user's password changes, FortiOS is expected to invalidate any active SSL VPN sessions bound to that account. Under specific conditions this invalidation does not occur, and the existing session token remains valid for continued network access.

This behavior conflicts with common containment procedures. Security teams frequently rotate credentials during suspected compromise to eject an attacker. Because the SSL VPN session persists, the attacker retains tunnel connectivity, reachability into internal segments, and any privileges granted to the compromised identity.

The attack complexity is high because the flaw only manifests under particular conditions outside of the attacker's control, such as timing of the password change relative to session establishment. Exploitation does not require additional privileges or user interaction once the session exists.

Root Cause

The root cause is missing enforcement of session termination on credential change events within the SSL VPN daemon. Session state is not cross-referenced against the authoritative credential state after a password update, leaving previously issued session tokens usable until their own expiration timer elapses.

Attack Vector

The attack vector is network-based over the SSL VPN interface. An attacker who has previously authenticated, or who has captured or stolen a valid SSL VPN session, continues to interact with the FortiGate as the affected user after that user's password has been rotated. No code execution primitive is required. See the Fortinet Security Advisory FG-IR-25-411 for vendor-confirmed technical details.

Detection Methods for CVE-2025-62631

Indicators of Compromise

  • SSL VPN session activity from a user account that continues after a password reset event recorded in the identity provider or FortiGate logs.
  • SSL VPN tunnels sourced from IP addresses or geographies that do not match the legitimate user's recent authentication history.
  • Long-lived SSL VPN sessions that span across administrative credential rotation actions.

Detection Strategies

  • Correlate FortiGate SSL VPN session logs (sslvpn-session) with directory or IAM password-change events and alert when a session ID persists past the credential change timestamp.
  • Monitor logid entries in FortiOS event logs for SSL VPN tunnel activity that lacks a corresponding fresh authentication event after a known password reset.
  • Baseline typical SSL VPN session durations per user and flag sessions that outlive expected working windows or survive helpdesk-initiated password resets.

Monitoring Recommendations

  • Forward FortiGate SSL VPN and authentication logs to a centralized SIEM for cross-source correlation with Active Directory or Entra ID password change events.
  • Track the Tunnel-Up, Tunnel-Down, and SSL VPN tunnel statistics events to identify sessions that were never explicitly terminated after credential rotation.
  • Alert on concurrent SSL VPN sessions for a single user originating from disparate source IPs, which may indicate an attacker session running alongside the legitimate user.

How to Mitigate CVE-2025-62631

Immediate Actions Required

  • Upgrade FortiOS to a fixed release as documented in Fortinet Security Advisory FG-IR-25-411.
  • After any password reset for a user with SSL VPN entitlements, explicitly terminate that user's active SSL VPN sessions from the FortiGate CLI or GUI.
  • Audit currently established SSL VPN tunnels and disconnect sessions that predate recent credential changes.

Patch Information

Fortinet has published fixed builds through the PSIRT advisory FG-IR-25-411. Administrators should consult the advisory for the specific fixed versions corresponding to each FortiOS branch (7.4, 7.2, 7.0, and 6.4) and follow Fortinet's upgrade path guidance.

Workarounds

  • Enforce a manual SSL VPN session kill as part of every password reset workflow using execute vpn sslvpn del-tunnel or the equivalent GUI action against the affected user.
  • Reduce the SSL VPN idle and authentication timeouts (set idle-timeout and set auth-timeout under config vpn ssl settings) to shorten the window during which a stale session remains usable.
  • Require multi-factor authentication for SSL VPN so that a session revalidation step limits the utility of a session tied to a previously valid password.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.