Skip to main content

FortiOS FortiProxy CVE-2025-62675

| EUVDEUVD-2025-210465 MEDIUM
HTTP Response Splitting (CWE-113)
2026-07-14 fortinet GHSA-cm5j-986p-jqrj
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (fortinet) PRIMARY
LOW
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.1 MEDIUM

Token possession is a privilege prerequisite mapping to PR:L; once held, crafting the injection link is straightforward (AC:L), with S:C reflecting downstream browser or cache impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (fortinet).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 14, 2026 - 18:52 NVD
LOW MEDIUM
CVSS changed
Jul 14, 2026 - 18:52 NVD
3.4 (LOW) 4.3 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 16:10 vuln.today
CVE Published
Jul 14, 2026 - 15:15 cve.org
LOW 3.4

DescriptionNVD

An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions may allow an attacker in possession of a valid web filter override token to inject arbitrary headers via tricking a user into clicking on a crafted link.

AnalysisAI

HTTP Response Splitting in Fortinet FortiOS and FortiProxy enables an attacker who holds a valid web filter override token to inject arbitrary HTTP headers into server responses by tricking a user into clicking a crafted link. Affected versions span FortiOS 7.2 through 7.6.4 and FortiProxy 7.2 through 7.6.4. No active exploitation has been confirmed by CISA KEV, though the CVSS temporal vector includes E:P, indicating partial proof-of-concept evidence exists. Real-world impact is constrained by the requirement to possess a valid web filter override token and to achieve user interaction.

Technical ContextAI

HTTP Response Splitting (CWE-113) arises when user-controlled data containing CRLF sequences (\r\n) is incorporated into HTTP response headers without sanitization, allowing an attacker to terminate one response header and inject additional headers or even a fabricated response body. In this case, the vulnerable attack surface is the web filter override mechanism within FortiOS and FortiProxy - a feature that allows authorized users to bypass category-based web filtering using a token. CPE data confirms affected products are cpe:2.3:a:fortinet:fortios, cpe:2.3:a:fortinet:fortiproxy, and cpe:2.3:a:fortinet:fortipam. The S:C (Changed Scope) in the CVSS vector reflects that the injected headers may affect a component beyond the FortiOS/FortiProxy instance itself, such as the victim's browser cache or downstream proxy, which is characteristic of response splitting primitives enabling cache poisoning or cross-site scripting.

RemediationAI

Consult the Fortinet FortiGuard advisory FG-IR-26-152 at https://fortiguard.fortinet.com/psirt/FG-IR-26-152 for exact patched build versions; the CVSS temporal marker RL:O confirms an official fix has been released, but specific fix version numbers are not available in the provided input data and should not be assumed. As a compensating control where immediate patching is not feasible, administrators should audit and revoke web filter override tokens for users who do not strictly require them, reducing the pool of tokens an attacker could obtain or abuse. Additionally, user awareness training to avoid clicking unsolicited links from untrusted parties mitigates the UI:R requirement. Disabling the web filter override feature entirely eliminates the attack surface if the feature is not operationally required, though this will prevent legitimate override workflows. Restricting access to the FortiOS/FortiProxy management and web filtering interfaces to trusted networks also reduces exposure.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2016-1909 CRITICAL POC
9.8 Jan 15

Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0

CVE-2016-6909 CRITICAL POC
9.8 Aug 24

Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9

CVE-2015-1880 MEDIUM POC
4.3 May 12

Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote a

CVE-2025-24472 HIGH
8.1 Feb 11

FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do

CVE-2024-48884 CRITICAL
9.1 Jan 14

Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver

CVE-2022-40684 CRITICAL POC
9.8 Oct 18

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an

CVE-2024-21762 CRITICAL POC
9.8 Feb 09

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0

CVE-2023-25610 CRITICAL
9.8 Mar 24

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0

CVE-2017-3132 MEDIUM POC
6.1 Sep 12

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthor

CVE-2017-3133 MEDIUM POC
6.1 Sep 12

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthor

CVE-2017-3131 MEDIUM POC
5.4 Sep 12

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to exec

Share

CVE-2025-62675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy