CVE-2025-62675

Summary

An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions may allow an attacker in possession of a valid web filter override token to inject arbitrary headers via tricking a user into clicking on a crafted link.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS7.6.0 <= 7.6.4affected
FortinetFortiOS7.4.0 <= 7.4.12affected
FortinetFortiOS7.2.0 <= 7.2.13affected
FortinetFortiOS7.0.0 <= 7.0.19affected
FortinetFortiOS6.4.0 <= 6.4.16affected
FortinetFortiPAM1.7.0affected
FortinetFortiPAM1.6.0 <= 1.6.2affected
FortinetFortiPAM1.5.0 <= 1.5.1affected
FortinetFortiPAM1.4.0 <= 1.4.3affected
FortinetFortiPAM1.3.0 <= 1.3.1affected
FortinetFortiPAM1.2.0affected
FortinetFortiPAM1.1.0 <= 1.1.2affected
FortinetFortiPAM1.0.0 <= 1.0.3affected
FortinetFortiProxy7.6.0 <= 7.6.4affected
FortinetFortiProxy7.4.0 <= 7.4.14affected
FortinetFortiProxy7.2.0 <= 7.2.16affected
FortinetFortiProxy7.0.0 <= 7.0.23affected

Weaknesses

  • CWE-113: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References