CVE-2025-54972 – This CRLF injection vulnerability in Fortinet F... (How to Fix)

Q: What is the severity of CVE-2025-54972?

CVE-2025-54972 has a CVSS score of 4.3 (MEDIUM). This CRLF injection vulnerability in Fortinet FortiMail allows attackers to inject HTTP headers into server responses by tricking users into clicking malicious links. Affected systems include FortiMail versions 7.0 through 7.6.3, potentially enabling header manipulation attacks.

📋 TL;DR

This CRLF injection vulnerability in Fortinet FortiMail allows attackers to inject HTTP headers into server responses by tricking users into clicking malicious links. Affected systems include FortiMail versions 7.0 through 7.6.3, potentially enabling header manipulation attacks.

💻 Affected Systems

Products:

Fortinet FortiMail

Versions: 7.0 all versions, 7.2 all versions, 7.4.0 through 7.4.5, 7.6.0 through 7.6.3

Operating Systems: FortiOS

Default Config Vulnerable: ⚠️ Yes

Notes: All affected versions in default configuration are vulnerable. Requires user interaction (clicking malicious link).

📦 What is this software?

Fortimail by Fortinet

View all CVEs affecting Fortimail →

Fortimail by Fortinet

View all CVEs affecting Fortimail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious headers leading to cache poisoning, session fixation, or cross-site scripting if combined with other vulnerabilities.

🟠

Likely Case

Header injection allowing manipulation of HTTP responses, potentially enabling phishing or session hijacking attacks.

🟢

If Mitigated

Limited impact with proper input validation and user awareness training.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction but no authentication. Attack complexity is low once malicious link is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiMail 7.6.4, 7.4.6, and later versions

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-634

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download appropriate patch from Fortinet support portal. 3. Apply patch following Fortinet upgrade procedures. 4. Restart FortiMail services. 5. Verify version update.

🔧 Temporary Workarounds

Input Validation Filtering

all

Implement input validation to filter CRLF sequences in user-supplied URLs

Not applicable - configuration-based workaround

User Awareness Training

all

Train users to avoid clicking suspicious links, especially in email contexts

🧯 If You Can't Patch

Implement web application firewall rules to detect and block CRLF injection attempts
Restrict access to FortiMail web interface to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check FortiMail version via web interface: System > Dashboard > System Information

Check Version:

show system status (CLI) or check web interface dashboard

Verify Fix Applied:

Verify version is 7.6.4+, 7.4.6+, or later patched version

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP header patterns in web logs
Multiple requests with encoded CRLF sequences

Network Indicators:

HTTP requests containing %0D%0A sequences in URLs
Abnormal header responses from FortiMail

SIEM Query:

source="fortimail" AND (url="*%0D%0A*" OR header="*\r\n*")

📊 Metadata

CVE ID: CVE-2025-54972

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-93

EPSS Score: 0.05% exploit probability (13.7th percentile)

Published: November 18, 2025

Last Updated: January 14, 2026

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-25-634 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54972, you might also want to check these: