
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2025-54972 is a CRLF Header Injection vulnerability (CWE-93) in the Fortinet FortiMail webmail user GUI that allows an unauthenticated attacker to inject arbitrary HTTP headers into server responses by convincing a user to click a specially crafted link. It affects FortiMail 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, all versions of 7.2, and all versions of 7.0; FortiMail 8.0 is not affected. The vulnerability was internally discovered and reported by Jaguar Perlas from the Fortinet Infosec team, with initial publication on November 18, 2025. It carries a CVSSv3 base score of 4.3 (Medium) per NVD and 3.9 (Low) per Fortinet's own advisory (FortiGuard Advisory, Red Hat CVE).
The root cause is improper neutralization of CRLF sequences (CWE-93) in the FortiMail webmail user GUI component. An attacker crafts a malicious URL containing CRLF characters (%0D%0A) that, when clicked by a victim, causes the FortiMail server to include attacker-controlled content in HTTP response headers. This is a social-engineering-dependent, network-accessible attack requiring no authentication and no elevated privileges, but does require user interaction (clicking the crafted link). The attack vector is network-based with low complexity, and exploitation is limited to integrity impact — specifically, the ability to inject arbitrary response headers (FortiGuard Advisory).
Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses served to the victim user, which can facilitate secondary attacks such as HTTP response splitting, cache poisoning, cross-site scripting (via injected headers), or session fixation. The confidentiality impact is none and availability impact is none; only a low integrity impact is assessed. The attack scope is limited to the affected user's session and the FortiMail webmail interface, with no direct path to lateral movement or data exfiltration from this vulnerability alone (FortiGuard Advisory, Red Hat CVE).
%0D%0A) in a parameter that is reflected into HTTP response headers without sanitization.Set-Cookie, Location, or custom headers).%0D%0A, %0D, %0A) in query parameters or path components.Set-Cookie or Location headers in FortiMail webmail responses that were not generated by normal application logic.Fortinet has released patched versions to address this vulnerability: upgrade FortiMail 7.6.x to 7.6.4 or above, and upgrade FortiMail 7.4.x to 7.4.6 or above. Users running FortiMail 7.2 (all versions) or 7.0 (all versions) should migrate to a fixed release, as no patch will be issued for those branches. No configuration-based workaround is documented; upgrading to a fixed version is the recommended remediation (FortiGuard Advisory).
The CIS (Center for Internet Security) included this vulnerability in a broader advisory covering multiple Fortinet product vulnerabilities in November 2025 (CIS Advisory). Given the low severity rating and absence of known exploitation, the vulnerability has not generated significant community discussion or media coverage beyond standard vulnerability tracking and aggregation sites.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"