CVE-2025-54972:
Fortimail Análisis y mitigación de vulnerabilidades
Vista general
CVE-2025-54972 is a CRLF Header Injection vulnerability (CWE-93) in the Fortinet FortiMail webmail user GUI that allows an unauthenticated attacker to inject arbitrary HTTP headers into server responses by convincing a user to click a specially crafted link. It affects FortiMail 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, all versions of 7.2, and all versions of 7.0; FortiMail 8.0 is not affected. The vulnerability was internally discovered and reported by Jaguar Perlas from the Fortinet Infosec team, with initial publication on November 18, 2025. It carries a CVSSv3 base score of 4.3 (Medium) per NVD and 3.9 (Low) per Fortinet's own advisory (FortiGuard Advisory, Red Hat CVE).
Técnicas
The root cause is improper neutralization of CRLF sequences (CWE-93) in the FortiMail webmail user GUI component. An attacker crafts a malicious URL containing CRLF characters (%0D%0A) that, when clicked by a victim, causes the FortiMail server to include attacker-controlled content in HTTP response headers. This is a social-engineering-dependent, network-accessible attack requiring no authentication and no elevated privileges, but does require user interaction (clicking the crafted link). The attack vector is network-based with low complexity, and exploitation is limited to integrity impact — specifically, the ability to inject arbitrary response headers (FortiGuard Advisory).
Impacto
Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses served to the victim user, which can facilitate secondary attacks such as HTTP response splitting, cache poisoning, cross-site scripting (via injected headers), or session fixation. The confidentiality impact is none and availability impact is none; only a low integrity impact is assessed. The attack scope is limited to the affected user's session and the FortiMail webmail interface, with no direct path to lateral movement or data exfiltration from this vulnerability alone (FortiGuard Advisory, Red Hat CVE).
Pasos de explotación
- Craft malicious URL: Construct a URL targeting the FortiMail webmail GUI endpoint that includes CRLF sequences (e.g.,
%0D%0A) in a parameter that is reflected into HTTP response headers without sanitization. - Social engineering: Deliver the crafted link to a target FortiMail user via phishing email, instant message, or other communication channel, convincing them to click it.
- Victim clicks link: The victim's browser sends a request to the FortiMail server using the attacker-controlled URL.
- Header injection: The FortiMail server processes the unsanitized input and includes the injected CRLF sequences in the HTTP response headers, allowing the attacker to append arbitrary headers (e.g.,
Set-Cookie,Location, or custom headers). - Secondary attack: Leverage the injected headers to perform follow-on attacks such as session fixation, cache poisoning, or redirecting the victim to a malicious site (FortiGuard Advisory).
Indicadores de compromiso
- Network: HTTP requests to the FortiMail webmail GUI containing URL-encoded CRLF sequences (
%0D%0A,%0D,%0A) in query parameters or path components. - Logs: FortiMail access logs showing requests with unusual encoded characters in URL parameters, particularly those reflected in response headers; HTTP responses containing unexpected or duplicate headers.
- Network: Anomalous
Set-CookieorLocationheaders in FortiMail webmail responses that were not generated by normal application logic.
Mitigación y soluciones alternativas
Fortinet has released patched versions to address this vulnerability: upgrade FortiMail 7.6.x to 7.6.4 or above, and upgrade FortiMail 7.4.x to 7.4.6 or above. Users running FortiMail 7.2 (all versions) or 7.0 (all versions) should migrate to a fixed release, as no patch will be issued for those branches. No configuration-based workaround is documented; upgrading to a fixed version is the recommended remediation (FortiGuard Advisory).
Reacciones de la comunidad
The CIS (Center for Internet Security) included this vulnerability in a broader advisory covering multiple Fortinet product vulnerabilities in November 2025 (CIS Advisory). Given the low severity rating and absence of known exploitation, the vulnerability has not generated significant community discussion or media coverage beyond standard vulnerability tracking and aggregation sites.
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Fortimail Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."