CVE-2025-54972
Fortimail Análise e mitigação de vulnerabilidades

Visão geral

CVE-2025-54972 is a CRLF Header Injection vulnerability (CWE-93) in the Fortinet FortiMail webmail user GUI that allows an unauthenticated attacker to inject arbitrary HTTP headers into server responses by convincing a user to click a specially crafted link. It affects FortiMail 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, all versions of 7.2, and all versions of 7.0; FortiMail 8.0 is not affected. The vulnerability was internally discovered and reported by Jaguar Perlas from the Fortinet Infosec team, with initial publication on November 18, 2025. It carries a CVSSv3 base score of 4.3 (Medium) per NVD and 3.9 (Low) per Fortinet's own advisory (FortiGuard Advisory, Red Hat CVE).

Detalhes técnicos

The root cause is improper neutralization of CRLF sequences (CWE-93) in the FortiMail webmail user GUI component. An attacker crafts a malicious URL containing CRLF characters (%0D%0A) that, when clicked by a victim, causes the FortiMail server to include attacker-controlled content in HTTP response headers. This is a social-engineering-dependent, network-accessible attack requiring no authentication and no elevated privileges, but does require user interaction (clicking the crafted link). The attack vector is network-based with low complexity, and exploitation is limited to integrity impact — specifically, the ability to inject arbitrary response headers (FortiGuard Advisory).

Impacto

Successful exploitation allows an attacker to inject arbitrary HTTP headers into responses served to the victim user, which can facilitate secondary attacks such as HTTP response splitting, cache poisoning, cross-site scripting (via injected headers), or session fixation. The confidentiality impact is none and availability impact is none; only a low integrity impact is assessed. The attack scope is limited to the affected user's session and the FortiMail webmail interface, with no direct path to lateral movement or data exfiltration from this vulnerability alone (FortiGuard Advisory, Red Hat CVE).

Etapas de exploração

  1. Craft malicious URL: Construct a URL targeting the FortiMail webmail GUI endpoint that includes CRLF sequences (e.g., %0D%0A) in a parameter that is reflected into HTTP response headers without sanitization.
  2. Social engineering: Deliver the crafted link to a target FortiMail user via phishing email, instant message, or other communication channel, convincing them to click it.
  3. Victim clicks link: The victim's browser sends a request to the FortiMail server using the attacker-controlled URL.
  4. Header injection: The FortiMail server processes the unsanitized input and includes the injected CRLF sequences in the HTTP response headers, allowing the attacker to append arbitrary headers (e.g., Set-Cookie, Location, or custom headers).
  5. Secondary attack: Leverage the injected headers to perform follow-on attacks such as session fixation, cache poisoning, or redirecting the victim to a malicious site (FortiGuard Advisory).

Indicadores de compromisso

  • Network: HTTP requests to the FortiMail webmail GUI containing URL-encoded CRLF sequences (%0D%0A, %0D, %0A) in query parameters or path components.
  • Logs: FortiMail access logs showing requests with unusual encoded characters in URL parameters, particularly those reflected in response headers; HTTP responses containing unexpected or duplicate headers.
  • Network: Anomalous Set-Cookie or Location headers in FortiMail webmail responses that were not generated by normal application logic.

Mitigação e soluções alternativas

Fortinet has released patched versions to address this vulnerability: upgrade FortiMail 7.6.x to 7.6.4 or above, and upgrade FortiMail 7.4.x to 7.4.6 or above. Users running FortiMail 7.2 (all versions) or 7.0 (all versions) should migrate to a fixed release, as no patch will be issued for those branches. No configuration-based workaround is documented; upgrading to a fixed version is the recommended remediation (FortiGuard Advisory).

Reações da comunidade

The CIS (Center for Internet Security) included this vulnerability in a broader advisory covering multiple Fortinet product vulnerabilities in November 2025 (CIS Advisory). Given the low severity rating and absence of known exploitation, the vulnerability has not generated significant community discussion or media coverage beyond standard vulnerability tracking and aggregation sites.

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Fortimail Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2025-53681HIGH7.2
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimMay 12, 2026
CVE-2024-40588MEDIUM4.4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimAug 12, 2025
CVE-2025-54972MEDIUM4.3
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimNov 18, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NãoSimOct 14, 2025
CVE-2025-55717MEDIUM4
  • Fortimail logoFortimail
  • cpe:2.3:a:fortinet:fortimail
NãoSimMar 10, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades