Advisory ID: SA-2025-FTN-001 
Date Issued: May 15, 2025 
Severity: Critical (CVSS v3.1 Score: 9.8) 
CVE ID: CVE-2025-32756 
Fortinet Advisory: FG-IR-25-254 

Summary 

CVE-2025-32756 is a critical stack-based buffer overflow vulnerability (CWE-121) affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests. Fortinet has confirmed active exploitation of this vulnerability in the wild, particularly targeting FortiVoice systems. 

Technical Details 

  • Vulnerability Type: Stack-based Buffer Overflow (CWE-121) 
  • Attack Vector: Remote, unauthenticated HTTP requests 
  • Impact: Arbitrary code execution with potential full system compromise 
  • CVSS v3.1 Score: 9.8 (Critical) 

The vulnerability arises from improper bounds checking during HTTP request processing. Attackers can exploit this flaw by sending specially crafted HTTP requests, leading to a stack overflow that allows overwriting critical memory addresses and executing arbitrary code with root-level privileges.  

Affected Products & Versions 

  • FortiVoice: 6.4.0 through 6.4.10, 7.0.0 through 7.0.6, 7.2.0 
  • FortiMail: 7.0.0 through 7.0.8, 7.2.0 through 7.2.7, 7.4.0 through 7.4.4, 7.6.0 through 7.6.2 
  • FortiNDR: 7.0.0 through 7.0.6, 7.2.0 through 7.2.4, 7.4.0 through 7.4.7, 7.6.0 
  • FortiRecorder: 6.4.0 through 6.4.5, 7.0.0 through 7.0.5, 7.2.0 through 7.2.3 
  • FortiCamera: 1.1 (all versions), 2.0 (all versions), 2.1.0 through 2.1.3 

Exploitation in the Wild 

Fortinet has observed active exploitation of CVE-2025-32756, particularly targeting FortiVoice systems. Attackers have been reported to deploy malware, install cron jobs for credential theft, and scan internal networks, underscoring the urgency for organisations to assess their exposure and remediate identified vulnerabilities promptly.  

Recommended Actions 

Apply Patches Immediately: 
Fortinet has released updates addressing this vulnerability. It's imperative to upgrade affected products to the latest versions as specified in Fortinet's advisory FG-IR-25-254.  
Disable HTTP/HTTPS Administrative Interfaces: 
If immediate patching isn't feasible, disable the HTTP/HTTPS administrative interfaces to mitigate the attack vector. 
Review System Logs and Configurations: 
Check for unusual HTTP request patterns, unexpected system processes, or unauthorised user accounts. Specifically, review the 'fcgi debugging' setting, which, if enabled, could indicate compromise.  
Monitor for Indicators of Compromise (IoCs): 
Stay vigilant for any signs of exploitation and monitor systems for known IoCs associated with this vulnerability. 
Implement Network Segmentation and Access Controls: 
Restrict access to critical systems and services to minimise potential attack surfaces. 

 

References 

 CVE-2025-32756 is a severe, actively exploited vulnerability that poses a significant threat to organisations using Fortinet products. Immediate remediation actions, including patching and forensic review, are strongly recommended to protect affected systems and prevent potential breaches. 

If you require assistance with detection, response, or further guidance, please contact your security team or reach out to Fortinet support. 

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.