
PEACH
Un cadre d’isolation des locataires
CVE-2025-62826 is an HTTP Response Splitting vulnerability (CWE-113) in Fortinet FortiOS and FortiProxy captive portal authentication, allowing an attacker who can intercept and modify a user's captive portal authentication request to inject arbitrary HTTP headers via crafted requests. Affected versions include FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4 all versions, and FortiProxy 7.2 all versions. FortiOS 8.0 is not affected. The vulnerability was publicly disclosed on July 14, 2026, and carries a CVSSv3 score of 3.1 (Low) per Fortinet's advisory, though NVD assigns it 4.3 (Medium) (FortiGuard Advisory).
The vulnerability is classified as CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), where the captive portal authentication form fails to properly sanitize CRLF sequences (\r\n) in user-supplied input before incorporating it into HTTP response headers. An attacker positioned as a man-in-the-middle who can intercept and modify a victim's captive portal authentication request can inject crafted CRLF sequences to split the HTTP response, effectively inserting arbitrary headers into the server's response to the client. Exploitation requires the attacker to have network access sufficient to intercept and tamper with the target user's HTTP traffic — a prerequisite that limits the attack surface to local network segments or compromised network infrastructure (FortiGuard Advisory).
Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses delivered to captive portal users, enabling response manipulation such as cache poisoning, session fixation, or cross-site scripting via injected headers. The integrity of HTTP responses is compromised, but confidentiality and availability are not directly impacted. The attack scope is limited to users interacting with the captive portal on affected FortiOS or FortiProxy deployments, and lateral movement potential is low given the constrained attack vector (FortiGuard Advisory).
%0d%0a or \r\n) within a parameter that is reflected into HTTP response headers (e.g., a redirect URL or form field), crafting a payload such as value%0d%0aInjected-Header:%20malicious-value.%0d%0a, %0a, %0d) in parameter values; unexpected HTTP headers appearing in captive portal responses.Fortinet recommends upgrading FortiOS 7.6.x to version 7.6.5 or above, and upgrading FortiProxy 7.6.x to version 7.6.5 or above. Users running FortiOS 7.4 or 7.2 (all versions) and FortiProxy 7.4 or 7.2 (all versions) should migrate to a fixed release, as no patch is available within those branches. FortiOS 8.0 is not affected. As a network-level mitigation, deploying TLS/SSL encryption for captive portal traffic and implementing network segmentation can reduce the risk of an attacker achieving the required man-in-the-middle position. Fortinet's upgrade path tool is available at https://docs.fortinet.com/upgrade-tool (FortiGuard Advisory).
Fortinet credited Vang3lis from VARAS@IIE for responsibly disclosing the vulnerability. Security news outlets including CyberSecurityNews and HealSecurity covered the advisory as part of Fortinet's July 2026 patch release addressing seven vulnerabilities across FortiOS, FortiProxy, FortiPAM, and FortiSandbox. Community reaction has been muted given the low CVSS score and the significant prerequisite of a man-in-the-middle position required for exploitation (FortiGuard Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."