CVE-2025-55018HTTP Request Smuggling in Fortinet Fortios

CWE-444HTTP Request Smuggling6 documents6 sources
Severity
5.8MEDIUMNVD
EPSS
0.1%
top 77.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortios
Timeline
PublishedFeb 10

Description

An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDfortinet/fortios7.0.07.4.10+2
CVEListV5fortinet/fortios7.4.07.4.9+4

🔴Vulnerability Details

2
GHSA
GHSA-7hxv-xg9w-4xg7: An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 72026-02-10
CVEList
CVE-2025-55018: An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 72026-02-10

📋Vendor Advisories

1
Fortinet
Request smuggling attack in FortiOS2026-02-10

🕵️Threat Intelligence

1
Wiz
CVE-2025-55018 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-55018 — HTTP Request Smuggling in Fortinet | cvebase