CVE-2025-62631 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-62631

CWE

https://cwe.mitre.org/data/definitions/613.html

An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a users password change under particular conditions outside of the attackers control

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name	Vendor	Start Version	End Version
Fortios	Fortinet	6.4.0 (including)	7.4.1 (excluding)

Potential Mitigations

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-411