CVE-2025-54972

CWE-934 documents4 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 81.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortimail
Timeline
PublishedNov 18

Description

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDfortinet/fortimail7.0.07.4.6+1
CVEListV5fortinet/fortimail7.6.07.6.3+3

🔴Vulnerability Details

2
GHSA
GHSA-prjc-xc24-cv4p: An improper neutralization of crlf sequences ('crlf injection') in Fortinet FortiMail 72025-11-18
CVEList
CVE-2025-54972: An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 72025-11-18

📋Vendor Advisories

1
Fortinet
An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3,...2025-11-18
CVE-2025-54972 (MEDIUM CVSS 4.3) | An improper neutralization of crlf | cvebase.io