CVE-2025-62631

MEDIUM

Fortinet Fortios < 7.4.1 - Insufficient Session Expiration

Title source: rule

Description

An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control

References (1)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-25-411

Scores

CVSS v3 5.6

EPSS 0.0002

EPSS Percentile 6.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (1)

fortinet/fortios 6.4.0 - 7.4.1

Published Dec 09, 2025

Tracked Since Feb 18, 2026