CVE-2025-53681
Fortimail Análise e mitigação de vulnerabilidades

Visão geral

CVE-2025-53681 is an SQL injection vulnerability (CWE-89) in Fortinet FortiMail's administrative portal that allows an authenticated privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS requests. The vulnerability affects FortiMail versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, and 7.2.0 through 7.2.8. It was disclosed on May 12, 2026, and was internally discovered by Jaguar Perlas of Fortinet's Burnaby InfoSec team. The CVSS v3.1 base score is 6.3 (Medium) per Fortinet's advisory, though NVD rates it 7.2 (High) (FortiGuard Advisory, Feedly).

Detalhes técnicos

The root cause is improper neutralization of special elements in SQL commands (CWE-89) within FortiMail's GUI/administrative portal component. An authenticated attacker with high-level (privileged) administrative access can craft malicious HTTP or HTTPS requests that inject SQL commands into backend database queries, potentially enabling arbitrary code or command execution on the underlying system. The attack vector is network-based, requires no user interaction, and has low attack complexity, but does require high privileges — limiting the attack surface to authenticated administrators or compromised admin accounts (FortiGuard Advisory).

Impacto

Successful exploitation allows an authenticated privileged attacker to execute arbitrary code or commands on the FortiMail system, resulting in high confidentiality, integrity, and availability impact. This could lead to full compromise of the FortiMail appliance, exposure of email data and configurations, and potential use of the compromised system as a pivot point within the network. Given FortiMail's role as an email security gateway, a compromise could expose sensitive organizational communications and anti-spam/anti-malware configurations (FortiGuard Advisory, Feedly).

Mitigação e soluções alternativas

Fortinet has released patched versions to address this vulnerability. Administrators should upgrade to the following versions or later: FortiMail 7.6.4, FortiMail 7.4.6, or FortiMail 7.2.9. As a compensating control, access to the FortiMail administrative interface should be restricted to trusted networks and authorized administrators only, reducing the risk of exploitation by limiting who can reach the vulnerable endpoint (FortiGuard Advisory).

Reações da comunidade

Coverage of this vulnerability has been limited, consistent with its medium severity rating and lack of active exploitation. Security news outlets such as TheCyberThrone covered it as part of Fortinet's May 2026 Patch Tuesday roundup, and the Egyptian Financial Institutions CIRT (EGFINCIRT) published a security update notice (TheCyberThrone, EGFINCIRT). No notable researcher commentary or significant social media discussion has been observed.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Fortimail Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2025-53681HIGH7.2
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimMay 12, 2026
CVE-2024-40588MEDIUM4.4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimAug 12, 2025
CVE-2025-54972MEDIUM4.3
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimNov 18, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NãoSimOct 14, 2025
CVE-2025-55717MEDIUM4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimMar 10, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades