5 min read
By: RedLegg's Cyber Threat Intelligence Team
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES:
Fortinet Stack-Based Buffer Overflow in Multiple Products
CVSS Score: 9.6 (Critical)
Identifier: CVE-2025-32756
Exploit or Proof of Concept (PoC): Yes – https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Update: CVE-2025-32756 – Fortinet Security Advisory
Description: CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. The flaw arises from improper handling of specially crafted HTTP requests containing malicious hash cookies, allowing unauthenticated remote attackers to execute arbitrary code or commands on the affected systems. Fortinet has confirmed active exploitation of this vulnerability in the wild, particularly targeting FortiVoice systems.
In observed attacks, threat actors have exploited this vulnerability to gain unauthorized access, perform internal network scans, enable FCGI debugging to harvest credentials, and erase crash logs to conceal their activities. Indicators of compromise include the presence of modified or added files such as /bin/wpad_ac_helper, /lib/libfmlogin.so, and /tmp/.sshdpm, as well as specific log entries indicating FCGI errors.
Affected Products:
- FortiVoice: Versions 6.4.0 through 6.4.10, 7.0.0 through 7.0.6, and 7.2.0
- FortiMail: Versions up to 7.6.2
- FortiNDR: All 1.x versions, and 7.x versions prior to 7.6.1
- FortiRecorder: Versions up to 7.2.3
- FortiCamera: Versions up to 2.1.3
Mitigation Recommendation: Fortinet has released security updates to address this vulnerability. Administrators are strongly advised to apply the provided patches immediately. If immediate patching is not feasible, it is recommended to disable HTTP/HTTPS administrative interfaces, restrict administrative access to trusted internal networks, and monitor systems for any unusual activity.
Note: Given the critical nature of this vulnerability and its active exploitation, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
