• Umer Wajih
• May 27, 2025
• No Comments

Report Date: May 26, 2025

I. Executive Summary
A critical (CVSS 9.6) unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2025-32756, affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. The vulnerability stems from a stack-based buffer overflow in the administrative API, specifically within the cookieval_unwrap() function when processing APSCOOKIE values. Threat actors are confirmed to be actively exploiting this flaw in the wild, particularly targeting FortiVoice systems. Observed malicious activities include network scanning, credential harvesting (via enabling fcgi debugging), log manipulation, malware deployment, and establishing persistence through cron jobs. A detailed Proof-of-Concept (PoC) has been publicly released by security researchers, increasing the risk of widespread exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-32756 to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for federal agencies by June 4, 2025. Immediate patching to the fixed versions provided by Fortinet is strongly recommended. If patching is not immediately possible, disabling the HTTP/ HTTPS administrative interface serves as a temporary workaround.
 
II. Vulnerability Details
This section provides technical details regarding the identified vulnerability.
• Identifier: CVE-2025-32756
• CVSS v3.1 Score: 9.6 (Critical)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Assumed based on description, source did not provide vector)
• Description: A stack-based buffer overflow vulnerability exists in the administrative API of several Fortinet products. The flaw resides in the cookieval_unwrap() function within the libhttputil.so library, where improper bounds checking during the processing of APSCOOKIE values can lead to an overflow of a 16-byte buffer. This allows a remote, unauthenticated attacker to overwrite stack values, including the return address, potentially leading to arbitrary code execution through specially crafted HTTP requests.
Affected Products and Versions
The following Fortinet product lines are confirmed to be affected. Organizations should consult Fortinet advisories for precise version details relevant to their deployments.
Product Line Affected Versions (Consult Fortinet for specifics )
-FortiVoice Multiple versions
-FortiMail Multiple versions
-FortiNDR Multiple versions
-FortiRecorder Multiple versions
-FortiCamera Multiple versions

Exploitation Details
Evidence indicates that CVE-2025-32756 is being actively exploited by threat actors in the wild. This section details the current exploitation landscape.

Active Exploitation
Fortinet has confirmed through observed threat activity that attackers are actively targeting this vulnerability, with a particular focus on FortiVoice unified communication systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) corroborated the active exploitation by adding CVE-2025-32756 to its Known Exploited Vulnerabilities (KEV) catalog on May 14, 2025, shortly after Fortinet’s advisory. This designation mandates remediation for U.S. federal agencies by June 4, 2025, underscoring the severity and urgency.

Proof-of-Concept (PoC) Availability
Security researchers from horizon3 have published a detailed technical analysis and Proof-of-Concept (PoC) for CVE-2025-32756. The availability of this PoC significantly lowers the barrier for other threat actors to develop and deploy exploits, likely leading to an increase in attempted attacks against vulnerable systems.

 
Attacker Tactics, Techniques, and Procedures (TTPs)
Based on Fortinet’s investigation into the observed exploitation, threat actors have been seen employing the following TTPs and leaving associated Indicators of Compromise (IoCs):
-Tactic Technique/Indicator
-Reconnaissance Conducting network scans from compromised devices.
-Defense Evasion Erasing system crash logs (e.g., /var/log/crash.log).
-Credential Access Enabling ‘fcgi debugging’ (diagnose debug enable, diagnose fcgi debug enable) to capture authentication attempts (including SSH).
-Execution Deploying unspecified malware payloads.
-Persistence Establishing cron jobs for ongoing credential theft or maintaining access.
-Organizations should monitor for these activities as potential signs of compromise.

 
Recommendations
Given the critical nature of CVE-2025-32756 and confirmed active exploitation, immediate action is required to mitigate risk. The following steps are recommended:

1. Prioritize Patching: Upgrade all affected Fortinet appliances to the vendor-provided fixed versions as soon as possible. Consult Fortinet security advisories for the specific patch applicable to your product and version branch. Known fixed versions include:
   • FortiVoice: 7.2.1, 7.0.7, or 6.4.11 (depending on branch)
   • FortiMail: 7.6.3, 7.4.5, 7.2.8, or 7.0.9 (depending on branch)
   • (Consult Fortinet for FortiNDR, FortiRecorder, FortiCamera fixed versions)
2. Apply Workaround (If Patching Delayed): If immediate patching is not feasible, disable the HTTP/HTTPS administrative interface on affected devices to remove the attack vector. This should be considered a temporary measure until patching can be completed.
3. Monitor for Compromise: Actively monitor systems for the Indicators of Compromise (IoCs) listed in the Appendix. Implement logging and alerting rules to detect suspicious activity related to this vulnerability.
4. Review Access Controls: Ensure administrative interfaces for critical infrastructure are not exposed directly to the internet unless absolutely necessary and are protected by strong access controls and multi-factor authentication.

Analyst Notes
This vulnerability represents a significant risk due to its critical CVSS score, lack of authentication requirement, and confirmed active exploitation. The publication of a detailed PoC by reputable researchers significantly increases the likelihood of widespread attacks by less sophisticated actors in the near future. Fortinet products are frequently targeted, as evidenced by this being the 18th Fortinet vulnerability added to the CISA KEV catalog. Organizations using the affected products should treat patching or mitigation as an urgent priority. The observed TTPs, particularly the enabling of debugging modes for credential capture and log wiping, suggest attackers are aiming for deeper network infiltration and long-term persistence beyond simply exploiting the initial RCE.

 
Threat Indicator Appendix
This appendix lists observed Indicators of Compromise (IoCs) associated with the exploitation of CVE-2025-32756, based on information provided by Fortinet. Monitoring for these indicators can help detect potential compromise.
• Network Activity:
• Unexpected outbound network scanning originating from Fortinet appliances.
• File System / Log Manipulation:
• Deletion or modification of crash logs, specifically /var/log/crash.log.
• Configuration Changes:
• Enabling of fcgi debugging via commands like diagnose debug enable and diagnose fcgi debug enable.
• Malware/Persistence:
• Presence of unexpected or unknown malware files.
• Creation of unauthorized cron jobs.
Note: This list is based on publicly available information as of the report date and may not be exhaustive. Threat actor TTPs can evolve.

CONTACT INFORMATION

For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.

• Website: www.meraal.me
• Email: Office@meraal.me , Naveed@meraal.me
• Phone: +92 42 357 27575, +92 323 497 947

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.