CVE-2022-45862

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.2.5 and below, 7.0 all versions, 6.4 all versions FortiProxy versions 7.2 all versions, 7.0 all versions FortiPAM versions 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions FortiSwitchManager versions 7.2.1 and below, 7.0 all versions

Description The issue is related to an insufficient session expiration vulnerability. This vulnerability may allow a remote attacker to gain unauthorized access to the device by reusing web sessions after GUI logout, provided they have acquired the required credentials.

Recommendations For FortiOS versions 7.2.5 and below, 7.0 all versions, 6.4 all versions, update to a version that includes a fix for the session expiration issue. For FortiProxy versions 7.2 all versions, 7.0 all versions, update to a version that includes a fix for the session expiration issue. For FortiPAM versions 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions, update to a version that includes a fix for the session expiration issue. For FortiSwitchManager versions 7.2.1 and below, 7.0 all versions, update to a version that includes a fix for the session expiration issue. As a temporary workaround, consider restricting access to the GUI to minimize the risk of exploitation.