Fortinet FortiVoice and multiple products, unauthenticated stack-based buffer overflow remote code execution

Overview

CVE-2025-32756 is a critical stack-based buffer overflow affecting a broad range of Fortinet appliances, including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera. A remote, unauthenticated attacker can execute arbitrary code by sending an HTTP request carrying a specially crafted hash cookie. Fortinet published advisory FG-IR-25-254 and disclosed that the flaw was already being exploited in the wild against FortiVoice systems, making it a zero-day. NVD assigns a primary CVSS 3.1 base score of 9.8 and a primary weakness of CWE-787 (out-of-bounds write); Fortinet classifies it more specifically as a stack-based buffer overflow (CWE-121). CISA added it to the Known Exploited Vulnerabilities catalog on 14 May 2025.

Technical Details

The vulnerability is an out-of-bounds write reached through the appliance web interface. A cookie value used during request processing is copied into a fixed-size stack buffer without adequate bounds checking, so an oversized crafted value overruns the buffer and overwrites saved control data on the stack. By controlling the overflow, an attacker redirects execution to attacker-supplied instructions and gains code execution as the web service. Because the trigger is a single unauthenticated HTTP request, exposed management or portal interfaces can be compromised directly from the network.

Impact

• Unauthenticated remote code execution across multiple Fortinet product families
• Full compromise of voice, mail, network-detection and surveillance appliances
• Interception or manipulation of communications and recorded data handled by the device
• Use of the device as a persistent foothold inside the network

Mitigation

1. Upgrade FortiVoice 7.2 to 7.2.1, 7.0 to 7.0.7, and 6.4 to 6.4.11 or above.
2. Upgrade FortiMail 7.6 to 7.6.3, 7.4 to 7.4.5, 7.2 to 7.2.8, and 7.0 to 7.0.9 or above.
3. Upgrade FortiNDR 7.6 to 7.6.1, 7.4 to 7.4.8, 7.2 to 7.2.5, and 7.0 to 7.0.7 or above.
4. Upgrade FortiRecorder 7.2 to 7.2.4, 7.0 to 7.0.6, and 6.4 to 6.4.6 or above; upgrade FortiCamera 2.1 to 2.1.4 or above.
5. If immediate patching is not possible, disable the HTTP/HTTPS administrative and portal interface as a temporary workaround.

Detection

• CISA added CVE-2025-32756 to the KEV catalog on 14 May 2025 with a remediation due date of 4 June 2025.
• Fortinet published indicators of compromise: attacker source addresses include 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244 and 218.187.69.59.
• Hunt for the documented post-exploitation behaviour Fortinet reported, including the malicious fcgi crash logging being enabled and crafted entries in the appliance crash logs.
• Review web-interface access logs for abnormally long cookie values and for HTTP requests preceding service crashes.