CVE-2024-50562 in FortiOS
Summary
by MITRE • 06/10/2025
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/25/2025
The vulnerability identified as CVE-2024-50562 represents a critical insufficient session expiration flaw within FortiOS SSL-VPN implementations that affects multiple version ranges including 7.6.0, 7.4.6 and below, 7.2.10 and below, 7.0 all versions, and 6.4 all versions. This weakness falls under the Common Weakness Enumeration category CWE-613, which specifically addresses insufficient session expiration vulnerabilities. The core issue lies in the improper handling of session management mechanisms where the system fails to properly invalidate or expire user sessions even after they have been explicitly terminated or have reached their natural expiration time.
The technical flaw manifests when an attacker who has obtained a valid SSL-VPN session cookie can continue to authenticate and access the network resources even after the original session has been logged out or expired. This occurs because the system does not adequately validate session state or maintain proper session tracking mechanisms that would prevent reuse of expired authentication tokens. The vulnerability essentially allows for session replay attacks where stolen or intercepted session identifiers remain valid beyond their intended lifespan, creating a persistent security weakness that undermines the fundamental principles of authentication and authorization.
From an operational impact perspective, this vulnerability creates significant risk for organizations relying on FortiOS SSL-VPN solutions for remote access. Attackers can exploit this weakness to maintain unauthorized access to corporate networks, potentially leading to data exfiltration, lateral movement within the network, and privilege escalation attacks. The vulnerability is particularly dangerous because it operates silently in the background, allowing attackers to extend their access window beyond normal session lifecycles without detection. This weakness directly violates security best practices outlined in the NIST SP 800-163 standard for secure session management and could be leveraged by threat actors to conduct extended reconnaissance or execute more sophisticated attacks.
The mitigation strategies for this vulnerability should focus on immediate implementation of proper session expiration mechanisms and cookie management practices. Organizations should ensure that all SSL-VPN implementations enforce strict session timeout policies and implement robust session invalidation procedures upon logout or expiration. The solution involves configuring the system to properly track session states and invalidate session identifiers immediately upon termination. Additionally, implementing multi-factor authentication, regular session monitoring, and network access control policies can help reduce the attack surface. This vulnerability aligns with ATT&CK technique T1566.002 for credential access through session hijacking and represents a critical gap in the principle of least privilege enforcement. Organizations should also consider implementing automated session management tools and regular security assessments to identify and remediate similar session management weaknesses across their infrastructure.