CVE-2024-50562
MediumCVSS 4.8Exploitation Probability (EPSS)
Elevated risk74th percentile - higher than 74% of all known CVEs
Summary
FortiOS SSL-VPN has an insufficient session expiration vulnerability that allows an attacker with a cookie used for login to log in again, even if the session has expired or was logged out.
Risk Assessment
This vulnerability may lead to unauthorized access to organizational resources, posing a significant threat to data security.
Recommendation
It is recommended to update FortiOS SSL-VPN to the latest version to mitigate this vulnerability and implement additional security mechanisms for user sessions.
Original NVD description (English source)
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.

