{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-54972","assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","state":"PUBLISHED","assignerShortName":"fortinet","dateReserved":"2025-08-04T08:14:35.422Z","datePublished":"2025-11-18T17:01:15.406Z","dateUpdated":"2026-01-14T09:15:54.810Z"},"containers":{"cna":{"affected":[{"vendor":"Fortinet","product":"FortiMail","cpes":["cpe:2.3:a:fortinet:fortimail:7.6.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.6.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.6.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.6.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.4.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.9:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.2.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.9:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortimail:7.0.0:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"versionType":"semver","version":"7.6.0","lessThanOrEqual":"7.6.3","status":"affected"},{"versionType":"semver","version":"7.4.0","lessThanOrEqual":"7.4.5","status":"affected"},{"versionType":"semver","version":"7.2.0","lessThanOrEqual":"7.2.9","status":"affected"},{"versionType":"semver","version":"7.0.0","lessThanOrEqual":"7.0.9","status":"affected"}]}],"descriptions":[{"lang":"en","value":"An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link"}],"providerMetadata":{"orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet","dateUpdated":"2026-01-14T09:15:54.810Z"},"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-93","description":"Information disclosure","type":"CWE"}]}],"metrics":[{"format":"CVSS","cvssV3_1":{"version":"3.1","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.9,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}],"solutions":[{"lang":"en","value":"Upgrade to upcoming  FortiMail version 8.0.0 or above\nUpgrade to FortiMail version 7.6.4 or above\nUpgrade to FortiMail version 7.4.6 or above"}],"references":[{"name":"https://fortiguard.fortinet.com/psirt/FG-IR-25-634","url":"https://fortiguard.fortinet.com/psirt/FG-IR-25-634"}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-19T14:27:05.795266Z","id":"CVE-2025-54972","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-19T14:27:11.711Z"}}]}}