Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AC:H reflects mandatory MITM interception prerequisite; PR:N and UI:R because no attacker auth is needed but victim must be actively authenticating; I:L only as header injection yields no direct confidentiality or availability impact.
Primary rating from Vendor (fortinet).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions may allow an attacker able to intercept and modify a user's captive portal authentication request to inject arbitrary headers via crafted HTTP requests.
AnalysisAI
HTTP Response Splitting in Fortinet FortiOS and FortiProxy captive portal authentication flows enables a man-in-the-middle attacker to inject arbitrary HTTP headers into intercepted authentication requests. Affected platforms span FortiOS 7.2-7.6.4 and FortiProxy 7.2-7.6.4. The CVSS temporal vector includes E:P, confirming proof-of-concept exploit code exists; however, no active exploitation has been confirmed via CISA KEV. The RL:O temporal indicator confirms an official remediation is available per vendor advisory FG-IR-26-153.
Technical ContextAI
CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) describes a class of injection flaws where carriage-return and line-feed characters embedded in attacker-controlled input are passed unsanitized into HTTP response headers. In this case, the vulnerable component is the captive portal authentication handler present in FortiOS and FortiProxy, both Fortinet network security appliances. CPE strings confirm affected products include cpe:2.3:a:fortinet:fortios:*:*:*:*:*:*:*:*, cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*, and cpe:2.3:a:fortinet:fortipam:*:*:*:*:*:*:*:*. By injecting CRLF sequences into a captive portal auth request, an attacker positioned to intercept that request can split the HTTP response stream and prepend arbitrary headers - potentially manipulating caching directives, setting attacker-controlled cookies, or laying groundwork for follow-on attacks such as session fixation or cache poisoning.
RemediationAI
An official patch is available per the CVSS RL:O temporal indicator; administrators should consult the Fortinet PSIRT advisory FG-IR-26-153 at https://fortiguard.fortinet.com/psirt/FG-IR-26-153 for exact fixed versions and upgrade instructions, as precise patched version numbers were not independently confirmed from the available input data. As a compensating control for environments where immediate patching is not feasible, disabling or restricting the captive portal feature eliminates the vulnerable attack surface entirely, though this impacts guest and user authentication workflows that depend on it. Network segmentation to prevent untrusted devices from achieving a man-in-the-middle position on the captive portal traffic path substantially limits attacker access, with the trade-off of additional network infrastructure complexity. Enforcing HTTPS for all captive portal interactions reduces the practical exploitability of CRLF injection in the authentication flow.
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.
A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.
A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10,
Authenticated remote code execution in Fortinet FortiOS, FortiProxy, and FortiPAM enables low-privileged users to trigge
A stack-based buffer overflow in Fortinet FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiWeb, Fo
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, Forti
A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attac
A double free vulnerability [CWE-415] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.
Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution fo
A security vulnerability in Fortinet FortiPAM 1.4.0 (CVSS 6.3) that allows attacker. Remediation should follow standard
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210466
GHSA-xm2q-h8v9-r8j8