Overview
CVE-2025-54972 is a medium-severity vulnerability affecting Fortinet FortiMail email security gateways. This vulnerability involves an improper neutralization of CRLF (Carriage Return Line Feed) sequences, also known as a CRLF injection, which could allow an attacker to inject arbitrary headers into HTTP responses. The vulnerability exists in FortiMail versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.5, 7.2 (all versions), and 7.0 (all versions).
An attacker can exploit this vulnerability by crafting a malicious link and convincing a user to click on it. Upon clicking, the crafted URL triggers the injection, potentially leading to various attacks.
Technical Details
The vulnerability stems from insufficient sanitization of user-supplied input that is later used to construct HTTP response headers. Specifically, the CRLF characters (\r\n or %0D%0A in URL-encoded form) are not properly neutralized. When these characters are included in a URL parameter that FortiMail processes and incorporates into a response header, they can prematurely terminate the existing header and inject new headers. This allows the attacker to control parts of the HTTP response sent to the user’s browser.
The attack requires user interaction, as the user must click on a specifically crafted link. The link’s payload contains the injected headers.
CVSS Analysis
The vulnerability has a CVSS v3.1 score of 4.3 (Medium).
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
The medium severity reflects the need for user interaction and the limited impact (Integrity: Low).
Possible Impact
Successful exploitation of this vulnerability can lead to the following impacts:
- Header Injection: The attacker can inject arbitrary HTTP headers into the response.
- Cache Poisoning: Manipulated headers can potentially influence how the response is cached, leading to cache poisoning attacks, although this depends on the specific caching mechanisms in place.
- Cross-Site Scripting (XSS) (Potentially): While not a direct XSS vulnerability, injected headers can potentially be used to manipulate the response in a way that leads to XSS in certain configurations, though this is less likely and dependent on other factors.
- Redirection: The attacker might be able to inject a
Locationheader to redirect the user to a malicious website.
The actual impact depends on the specific headers injected and the context in which the vulnerable FortiMail instance is used.
Mitigation or Patch Steps
Fortinet has released patches to address this vulnerability. It is highly recommended that administrators upgrade their FortiMail installations to a patched version as soon as possible. Consult the Fortinet advisory for the specific fixed versions.
The recommended mitigation is to upgrade to a fixed version of FortiMail. Contact Fortinet support or consult the Fortinet documentation for detailed upgrade instructions.
Specifically, upgrade to a version higher than:
- FortiMail 7.6.4
- FortiMail 7.4.6
For versions prior to those listed above, contact Fortinet support for guidance on upgrade paths.
