CVE-2024-50562
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-07-25
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortisase | 24.4.60 |
| fortinet | fortios | From 7.4.0 (inc) to 7.4.9 (inc) |
| fortinet | fortios | 7.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insufficient Session Expiration issue in FortiOS SSL-VPN versions 7.6.0, 7.4.6 and below, 7.2.10 and below, 7.0 all versions, and 6.4 all versions. It allows an attacker who has a cookie used to log in to the SSL-VPN portal to reuse that cookie to log in again even after the session has expired or the user has logged out.
How can this vulnerability impact me? :
An attacker with access to a valid login cookie can bypass session expiration controls and gain unauthorized access to the SSL-VPN portal. This could lead to unauthorized access to internal network resources, potentially compromising confidentiality and integrity of data.