CVE-2025-32756: Critical Fortinet Vulnerability Under Active Exploitation

A severe zero-day vulnerability in several Fortinet products allows unauthenticated remote code execution via a stack-based buffer overflow. Fortinet has confirmed active exploitation in the wild, especially targeting FortiVoice systems. A PoC exploit written in Python is publicly available, heightening the urgency of patching.

Severity Level: Critical

Vulnerability Details

• CVE ID: CVE-2025-32756
• Vulnerability Type: Stack-based Buffer Overflow (CWE-121)
• Attack Vector: Remote (Unauthenticated HTTP POST request)
• CVSS Score: 9.6
• Affected Endpoint: /remote/hostcheck_validate
• Affected Products: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera

Root Cause

The vulnerability resides in how the AuthHash cookie is processed – particularly its enc parameter – by the Fortinet software stack. Vulnerable Behavior:

• When processing a POST request to /remote/hostcheck_validate, Fortinet products improperly parse and handle the enc parameter.
• Lack of bounds checking results in memory corruption on the stack.

Exploitation Process

1. Pre-conditions:

• The attacker requires no authentication.
• Target must have HTTP/HTTPS admin interface enabled.

2. Attack Mechanism:

1. Crafted HTTP POST to /remote/hostcheck_validate
   • The attacker sends a POST request with a malformed AuthHash cookie, in which the enc field contains overlong input to trigger the overflow.
2. Buffer Overflow Trigger:
   • The stack overflows when parsing the enc parameter.
   • Attacker’s payload can overwrite return addresses or function pointers on the stack.
3. Arbitrary Code Execution:
   • Malicious shellcode or command sequences are executed.
   • Remote control of the device is achieved.

3. Post-Exploitation:

• Persistence & Credential Harvesting:
  • Installs /lib/libfmlogin.so to steal SSH credentials.
  • Adds cron jobs to scrape fcgi debug logs.
  • Uploads malware like /bin/wpad_ac_helper.

4. Confirmed In-The-Wild Exploitation:

Fortinet confirms exploitation in FortiVoice. Threat actors erase crash logs, Enable fcgi debugging to dump credentials, and Perform network reconnaissance.

Indicators Of Attack

1. The following log entries are possible IOCs:
   Output of CLI command ‘diagnose debug application httpd display trace-log’:
   [x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection
   [x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11
2. Modified Settings
   To verify if fcgi debugging is enabled on your system, use the following CLI command:
   diag debug application fcgi
   If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system:
   fcgi debug level is 0x80041
   general to-file ENABLED
   This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise

Recommendations

1. Upgrade all affected Fortinet products to the fixed versions listed in the advisory (https://fortiguard.fortinet.com/psirt/FG-IR-25-254). Delayed patching significantly increases the risk due to public PoC availability.
2. Workaround: Disable HTTP/HTTPS administrative interface.
3. Apply IP-based ACLs/firewall rules to limit admin interface access to a known management subnet or jump host.
4. Configure alerts on creation of suspicious binaries like /lib/libfmlogin.so, /bin/wpad_ac_helper, or /tmp/.sshdpm.
5. Look for sudden enabling of fcgi debugging or suspicious cron jobs reading password strings:
   0 */12 * * * root grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null > /var/spool/crashlog/fcgi.debug
   0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null > /var/spool/crashlog/fcgi.debug
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/19505d38e8093faca6ac54ec9130710cfdb4def725020b8eb02b7412fcd9efc8/iocs

Source:

• https://cybersecuritynews.com/poc-exploit-fortinet-0-day-vulnerability/
• https://fortiguard.fortinet.com/psirt/FG-IR-25-254

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.