FortiOS SSL VPN Insufficient Session Expiration

MEDIUM (4.8) Patch Available
cwe-613fortinetfortios-sslvpnrcesamlssl-vpnweb-application-security

Threat Intelligence

Low Risk
EPSS Score: 0.06% chance of exploitation (percentile: 18%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The FortiOS SSL VPN is a web-based interface that allows users to access remote networks securely. However, due to an insufficient session expiration vulnerability, attackers can re-use SAML records to gain unauthorized access to user sessions, potentially leading to sensitive data breaches and system compromise.

Am I affected?

You're affected if you use FortiOS SSL VPN versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, or 6.4 all versions.

Check with: find / -name "fortios-sslvpn*.conf" 2>/dev/null

Note that this vulnerability is specific to FortiOS SSL VPN and not related to other Fortinet products.

Affected Products

Fortinet / FortiOS SSL VPN

How to fix

To fix the issue:

  1. Upgrade to FortiOS 7.6.3 or above.
    • Follow the recommended upgrade path using the FortiClient tool: https://docs.fortinet.com/upgrade-tool
  2. Alternatively, use FortiClient built-in browser during SAML authentication without enabling "Use external browser as user-agent for saml user authentication".
  3. If immediate upgrade isn't possible:
    • Restrict network access to your FortiOS SSL VPN instance (firewall it from the public internet).
    • Audit admin account activity for suspicious access patterns.
    • Monitor for unauthorized token creation.

References