CVE-2025-54972
Fortimail Analyse et atténuation des vulnérabilités

Aperçu

CVE-2025-54972 is a CRLF Header Injection vulnerability (CWE-93) in the Fortinet FortiMail webmail user GUI that allows an unauthenticated attacker to inject arbitrary HTTP headers into server responses by convincing a user to click a specially crafted link. It affects FortiMail 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, all versions of 7.2, and all versions of 7.0; FortiMail 8.0 is not affected. The vulnerability was internally discovered and reported by Jaguar Perlas from the Fortinet Infosec team, with initial publication on November 18, 2025. It carries a CVSSv3 base score of 4.3 (Medium) per NVD and 3.9 (Low) per Fortinet's own advisory (FortiGuard Advisory, Red Hat CVE).

Détails techniques

The root cause is improper neutralization of CRLF sequences (CWE-93) in the FortiMail webmail user GUI component. An attacker crafts a malicious URL containing CRLF characters (%0D%0A) that, when clicked by a victim, causes the FortiMail server to include attacker-controlled content in HTTP response headers. This is a social-engineering-dependent, network-accessible attack requiring no authentication and no elevated privileges, but does require user interaction (clicking the crafted link). The attack vector is network-based with low complexity, and exploitation is limited to integrity impact — specifically, the ability to inject arbitrary response headers (FortiGuard Advisory).

Impact

Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses served to the victim user, which can facilitate secondary attacks such as HTTP response splitting, cache poisoning, cross-site scripting (via injected headers), or session fixation. The confidentiality impact is none and availability impact is none; only a low integrity impact is assessed. The attack scope is limited to the affected user's session and the FortiMail webmail interface, with no direct path to lateral movement or data exfiltration from this vulnerability alone (FortiGuard Advisory, Red Hat CVE).

Étapes d’exploitation

  1. Craft malicious URL: Construct a URL targeting the FortiMail webmail GUI endpoint that includes CRLF sequences (e.g., %0D%0A) in a parameter that is reflected into HTTP response headers without sanitization.
  2. Social engineering: Deliver the crafted link to a target FortiMail user via phishing email, instant message, or other communication channel, convincing them to click it.
  3. Victim clicks link: The victim's browser sends a request to the FortiMail server using the attacker-controlled URL.
  4. Header injection: The FortiMail server processes the unsanitized input and includes the injected CRLF sequences in the HTTP response headers, allowing the attacker to append arbitrary headers (e.g., Set-Cookie, Location, or custom headers).
  5. Secondary attack: Leverage the injected headers to perform follow-on attacks such as session fixation, cache poisoning, or redirecting the victim to a malicious site (FortiGuard Advisory).

Indicateurs de compromis

  • Network: HTTP requests to the FortiMail webmail GUI containing URL-encoded CRLF sequences (%0D%0A, %0D, %0A) in query parameters or path components.
  • Logs: FortiMail access logs showing requests with unusual encoded characters in URL parameters, particularly those reflected in response headers; HTTP responses containing unexpected or duplicate headers.
  • Network: Anomalous Set-Cookie or Location headers in FortiMail webmail responses that were not generated by normal application logic.

Atténuation et solutions de contournement

Fortinet has released patched versions to address this vulnerability: upgrade FortiMail 7.6.x to 7.6.4 or above, and upgrade FortiMail 7.4.x to 7.4.6 or above. Users running FortiMail 7.2 (all versions) or 7.0 (all versions) should migrate to a fixed release, as no patch will be issued for those branches. No configuration-based workaround is documented; upgrading to a fixed version is the recommended remediation (FortiGuard Advisory).

Réactions de la communauté

The CIS (Center for Internet Security) included this vulnerability in a broader advisory covering multiple Fortinet product vulnerabilities in November 2025 (CIS Advisory). Given the low severity rating and absence of known exploitation, the vulnerability has not generated significant community discussion or media coverage beyond standard vulnerability tracking and aggregation sites.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Fortimail Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2025-53681HIGH7.2
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiMay 12, 2026
CVE-2024-40588MEDIUM4.4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortindr
NonOuiAug 12, 2025
CVE-2025-54972MEDIUM4.3
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiNov 18, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiweb
NonOuiOct 14, 2025
CVE-2025-55717MEDIUM4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NonOuiMar 10, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités