Insufficient Session Expiration in FortiOS SSL VPN Products
CVE-2025-25252

4.3MEDIUM

Key Information:

Vendor: Fortinet
Status: FortiOS
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-25252?

An Insufficient Session Expiration vulnerability exists in Fortinet's FortiOS SSL VPN, impacting multiple versions. This flaw permits a remote attacker, such as a previously registered admin, to regain access to a terminated user session by reusing a SAML record, potentially compromising user data and session integrity.

Affected Version(s)

FortiOS 7.6.0 <= 7.6.2

FortiOS 7.4.0 <= 7.4.6

FortiOS 7.2.0 <= 7.2.10

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-487

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Feb 5, 2025

JSON