CVE-2025-54972

Summary

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link

Affected Software

VendorProductVersion RangeStatus
FortinetFortiMail7.6.0 <= 7.6.3affected
FortinetFortiMail7.4.0 <= 7.4.5affected
FortinetFortiMail7.2.0 <= 7.2.9affected
FortinetFortiMail7.0.0 <= 7.0.9affected

Weaknesses

  • CWE-93: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References