CVE-2024-50562 - Vulnerability Details

Description

An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

Published: 2025-06-10

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortinet

FortiOS

unaffected

Version	Status	Constraints
`7.6.0`	affected	—
`7.4.6`	affected	—
`7.4.0`	affected	≤ 7.4.4
`7.2.0`	affected	≤ 7.2.10
`7.0.0`	affected	≤ 7.0.17
`6.4.0`	affected	≤ 6.4.16

Fortinet

FortiPAM

unaffected

Version	Status	Constraints
`1.4.0`	affected	≤ 1.4.1
`1.3.0`	affected	—
`1.2.0`	affected	—
`1.1.0`	affected	≤ 1.1.2
`1.0.0`	affected	≤ 1.0.3

Fortinet

FortiProxy

unaffected

Version	Status	Constraints
`7.6.0`	affected	—
`7.4.0`	affected	≤ 7.4.5
`7.2.0`	affected	≤ 7.2.14
`7.0.0`	affected	≤ 7.0.20
`2.0.0`	affected	≤ 2.0.14

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortisase:24.4.60::::-:::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios:7.6.0:::::::*

No data.

No data available yet.

Remediation

Vendor Solution

Please upgrade to FortiOS version 7.6.1 or above Please upgrade to FortiOS version 7.4.8 or above Please upgrade to FortiOS version 7.2.11 or above Please upgrade to FortiSASE version 24.4.c or above

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-17805	An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00758.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-864900.html
https://fortiguard.fortinet.com/psirt/FG-IR-24-339

History

Tue, 09 Jun 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		https://cert-portal.siemens.com/productcert/html/ssa-864900.html

Fri, 25 Jul 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortinet fortisase
CPEs		cpe:2.3:a:fortinet:fortisase:24.4.60::::-::: cpe:2.3:o:fortinet:fortios::::::::
Vendors & Products		Fortinet fortisase

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.01305}`	epss `{'score': 0.00362}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.01199}`	epss `{'score': 0.01305}`

Tue, 10 Jun 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description		An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
First Time appeared		Fortinet Fortinet fortios Fortinet fortipam
Weaknesses		CWE-613
CPEs		cpe:2.3:o:fortinet:fortios:6.4.0:::::::* cpe:2.3:o:fortinet:fortios:6.4.10:::::::* cpe:2.3:o:fortinet:fortios:6.4.11:::::::* cpe:2.3:o:fortinet:fortios:6.4.12:::::::* cpe:2.3:o:fortinet:fortios:6.4.13:::::::* cpe:2.3:o:fortinet:fortios:6.4.14:::::::* cpe:2.3:o:fortinet:fortios:6.4.15:::::::* cpe:2.3:o:fortinet:fortios:6.4.16:::::::* cpe:2.3:o:fortinet:fortios:6.4.1:::::::* cpe:2.3:o:fortinet:fortios:6.4.2:::::::* cpe:2.3:o:fortinet:fortios:6.4.3:::::::* cpe:2.3:o:fortinet:fortios:6.4.4:::::::* cpe:2.3:o:fortinet:fortios:6.4.5:::::::* cpe:2.3:o:fortinet:fortios:6.4.6:::::::* cpe:2.3:o:fortinet:fortios:6.4.7:::::::* cpe:2.3:o:fortinet:fortios:6.4.8:::::::* cpe:2.3:o:fortinet:fortios:6.4.9:::::::* cpe:2.3:o:fortinet:fortios:7.0.0:::::::* cpe:2.3:o:fortinet:fortios:7.0.10:::::::* cpe:2.3:o:fortinet:fortios:7.0.11:::::::* cpe:2.3:o:fortinet:fortios:7.0.12:::::::* cpe:2.3:o:fortinet:fortios:7.0.13:::::::* cpe:2.3:o:fortinet:fortios:7.0.14:::::::* cpe:2.3:o:fortinet:fortios:7.0.15:::::::* cpe:2.3:o:fortinet:fortios:7.0.16:::::::* cpe:2.3:o:fortinet:fortios:7.0.17:::::::* cpe:2.3:o:fortinet:fortios:7.0.1:::::::* cpe:2.3:o:fortinet:fortios:7.0.2:::::::* cpe:2.3:o:fortinet:fortios:7.0.3:::::::* cpe:2.3:o:fortinet:fortios:7.0.4:::::::* cpe:2.3:o:fortinet:fortios:7.0.5:::::::* cpe:2.3:o:fortinet:fortios:7.0.6:::::::* cpe:2.3:o:fortinet:fortios:7.0.7:::::::* cpe:2.3:o:fortinet:fortios:7.0.8:::::::* cpe:2.3:o:fortinet:fortios:7.0.9:::::::* cpe:2.3:o:fortinet:fortios:7.2.0:::::::* cpe:2.3:o:fortinet:fortios:7.2.10:::::::* cpe:2.3:o:fortinet:fortios:7.2.1:::::::* cpe:2.3:o:fortinet:fortios:7.2.2:::::::* cpe:2.3:o:fortinet:fortios:7.2.3:::::::* cpe:2.3:o:fortinet:fortios:7.2.4:::::::* cpe:2.3:o:fortinet:fortios:7.2.5:::::::* cpe:2.3:o:fortinet:fortios:7.2.6:::::::* cpe:2.3:o:fortinet:fortios:7.2.7:::::::* cpe:2.3:o:fortinet:fortios:7.2.8:::::::* cpe:2.3:o:fortinet:fortios:7.2.9:::::::* cpe:2.3:o:fortinet:fortios:7.4.0:::::::* cpe:2.3:o:fortinet:fortios:7.4.1:::::::* cpe:2.3:o:fortinet:fortios:7.4.2:::::::* cpe:2.3:o:fortinet:fortios:7.4.3:::::::* cpe:2.3:o:fortinet:fortios:7.4.4:::::::* cpe:2.3:o:fortinet:fortios:7.4.6:::::::* cpe:2.3:o:fortinet:fortios:7.6.0:::::::* cpe:2.3:o:fortinet:fortipam:1.0.0:::::::* cpe:2.3:o:fortinet:fortipam:1.0.1:::::::* cpe:2.3:o:fortinet:fortipam:1.0.2:::::::* cpe:2.3:o:fortinet:fortipam:1.0.3:::::::* cpe:2.3:o:fortinet:fortipam:1.1.0:::::::* cpe:2.3:o:fortinet:fortipam:1.1.1:::::::* cpe:2.3:o:fortinet:fortipam:1.1.2:::::::* cpe:2.3:o:fortinet:fortipam:1.2.0:::::::* cpe:2.3:o:fortinet:fortipam:1.3.0:::::::* cpe:2.3:o:fortinet:fortipam:1.4.0:::::::* cpe:2.3:o:fortinet:fortipam:1.4.1:::::::*
Vendors & Products		Fortinet Fortinet fortios Fortinet fortipam
References		https://fortiguard.fortinet.com/psirt/FG-IR-24-339
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:X/RC:R'}`

Subscriptions

Fortinet Fortios Fortipam Fortisase

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-06-10T16:36:10.666Z

Updated: 2026-06-09T09:01:55.189Z

Reserved: 2024-10-24T11:52:14.400Z

Link: CVE-2024-50562

Vulnrichment

Updated: 2026-06-09T09:01:55.189Z

NVD

Status : Modified

Published: 2025-06-10T17:19:25.360

Modified: 2026-06-09T10:16:32.237

Link: CVE-2024-50562

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-613
Insufficient Session Expiration

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object