Fortinet FortiOS SSL VPN Insufficient Session Expiration Vulnerability

A vulnerability allowing insufficient session expiration has been identified in Fortinet FortiOS SSL VPN versions 7.6.0 to 7.6.2, 7.4.0 to 7.4.6, 7.2.0 to 7.2.10, 7.0.0 to 7.0.16, and all versions of 6.4. This vulnerability may enable a remote attacker, such as a former admin whose account was revoked and whose session was terminated, to access or reopen a user session by reusing the SAML record of that session.

Impact

Exploitation of this vulnerability could lead to improper access control, allowing unauthorized users to access or reopen sessions they should no longer have access to.

Remediation

Users are advised to upgrade to Fortinet FortiOS SSL VPN versions 7.6.3 or above, 7.4.7 or above, 7.2.11 or above, 7.0.17 or above, or to migrate to a fixed release if using FortiOS 6.4. For those using FortiOS 7.4, 7.2, or 7.0, follow the recommended upgrade path using Fortinet's upgrade tool.