CVE-2025-54972
Fortimail 취약성 분석 및 완화

개요

CVE-2025-54972 is a CRLF Header Injection vulnerability (CWE-93) in the Fortinet FortiMail webmail user GUI that allows an unauthenticated attacker to inject arbitrary HTTP headers into server responses by convincing a user to click a specially crafted link. It affects FortiMail 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, all versions of 7.2, and all versions of 7.0; FortiMail 8.0 is not affected. The vulnerability was internally discovered and reported by Jaguar Perlas from the Fortinet Infosec team, with initial publication on November 18, 2025. It carries a CVSSv3 base score of 4.3 (Medium) per NVD and 3.9 (Low) per Fortinet's own advisory (FortiGuard Advisory, Red Hat CVE).

기술적 세부 사항

The root cause is improper neutralization of CRLF sequences (CWE-93) in the FortiMail webmail user GUI component. An attacker crafts a malicious URL containing CRLF characters (%0D%0A) that, when clicked by a victim, causes the FortiMail server to include attacker-controlled content in HTTP response headers. This is a social-engineering-dependent, network-accessible attack requiring no authentication and no elevated privileges, but does require user interaction (clicking the crafted link). The attack vector is network-based with low complexity, and exploitation is limited to integrity impact — specifically, the ability to inject arbitrary response headers (FortiGuard Advisory).

영향

Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses served to the victim user, which can facilitate secondary attacks such as HTTP response splitting, cache poisoning, cross-site scripting (via injected headers), or session fixation. The confidentiality impact is none and availability impact is none; only a low integrity impact is assessed. The attack scope is limited to the affected user's session and the FortiMail webmail interface, with no direct path to lateral movement or data exfiltration from this vulnerability alone (FortiGuard Advisory, Red Hat CVE).

착취 단계

  1. Craft malicious URL: Construct a URL targeting the FortiMail webmail GUI endpoint that includes CRLF sequences (e.g., %0D%0A) in a parameter that is reflected into HTTP response headers without sanitization.
  2. Social engineering: Deliver the crafted link to a target FortiMail user via phishing email, instant message, or other communication channel, convincing them to click it.
  3. Victim clicks link: The victim's browser sends a request to the FortiMail server using the attacker-controlled URL.
  4. Header injection: The FortiMail server processes the unsanitized input and includes the injected CRLF sequences in the HTTP response headers, allowing the attacker to append arbitrary headers (e.g., Set-Cookie, Location, or custom headers).
  5. Secondary attack: Leverage the injected headers to perform follow-on attacks such as session fixation, cache poisoning, or redirecting the victim to a malicious site (FortiGuard Advisory).

타협의 징후

  • Network: HTTP requests to the FortiMail webmail GUI containing URL-encoded CRLF sequences (%0D%0A, %0D, %0A) in query parameters or path components.
  • Logs: FortiMail access logs showing requests with unusual encoded characters in URL parameters, particularly those reflected in response headers; HTTP responses containing unexpected or duplicate headers.
  • Network: Anomalous Set-Cookie or Location headers in FortiMail webmail responses that were not generated by normal application logic.

완화 및 해결 방법

Fortinet has released patched versions to address this vulnerability: upgrade FortiMail 7.6.x to 7.6.4 or above, and upgrade FortiMail 7.4.x to 7.4.6 or above. Users running FortiMail 7.2 (all versions) or 7.0 (all versions) should migrate to a fixed release, as no patch will be issued for those branches. No configuration-based workaround is documented; upgrading to a fixed version is the recommended remediation (FortiGuard Advisory).

커뮤니티 반응

The CIS (Center for Internet Security) included this vulnerability in a broader advisory covering multiple Fortinet product vulnerabilities in November 2025 (CIS Advisory). Given the low severity rating and absence of known exploitation, the vulnerability has not generated significant community discussion or media coverage beyond standard vulnerability tracking and aggregation sites.

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 Fortimail 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2025-53681HIGH7.2
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
아니요May 12, 2026
CVE-2024-40588MEDIUM4.4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
아니요Aug 12, 2025
CVE-2025-54972MEDIUM4.3
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
아니요Nov 18, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortimanager
아니요Oct 14, 2025
CVE-2025-55717MEDIUM4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
아니요Mar 10, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자