CVE-2025-54972

EUVD-2025-198017
An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link
CRLF Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
fortinetCNA
3.9 LOW
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
fortinetfortimail
7.0.0 ≤
𝑥
< 7.4.6
fortinetfortimail
7.6.0 ≤
𝑥
< 7.6.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://fortiguard.fortinet.com/psirt/FG-IR-25-634