Fortinet patched CVE-2025-32756, a critical unauthenticated RCE flaw exploited against FortiVoice systems for credential theft, FastCGI debugging and network scanning.
Fortinet has patched CVE-2025-32756, a critical remote code execution vulnerability exploited in the wild against FortiVoice systems, warning that the same flaw also affects FortiMail, FortiNDR, FortiRecorder and FortiCamera products.
The bug is a stack-based buffer overflow that allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending crafted HTTP requests to portal or administrative interfaces. The vulnerability carries a CVSS 9.8 Critical rating and requires no user interaction, no prior access and only network reachability to exploit.
Fortinet disclosed the flaw on May 13, 2025, and said it had observed real-world exploitation against FortiVoice appliances. The U.S. cyber defense agency added the vulnerability to its catalog of known exploited vulnerabilities on May 14, setting a June 4, 2025 remediation deadline for covered federal agencies.
The confirmed exploitation makes this more than a routine patch advisory. Fortinet said the observed attacker activity included scanning the device network, erasing system crash logs and enabling FastCGI debugging to capture credentials from system or SSH login attempts. The company also published file, log and IP indicators tied to the activity.
The vulnerability affects enterprise systems that often sit close to sensitive communications, email, detection, recording or camera infrastructure. FortiVoice is used for unified communications functions such as calling and conferencing, while FortiMail and FortiNDR can occupy high-value positions in enterprise environments. A successful compromise could give attackers a foothold on appliances that defenders may not monitor as closely as traditional servers or endpoints.
The immediate fix is to upgrade affected systems to fixed versions. Fortinet also advises disabling the HTTP/HTTPS administrative and portal interface if patching cannot be completed immediately.
Product
Affected versions
Fixed version or action
FortiVoice 7.2
7.2.0
Upgrade to 7.2.1+
FortiVoice 7.0
7.0.0-7.0.6
Upgrade to 7.0.7+
FortiVoice 6.4
6.4.0-6.4.10
Upgrade to 6.4.11+
FortiMail 7.6
7.6.0-7.6.2
Upgrade to 7.6.3+
FortiMail 7.4
7.4.0-7.4.4
Upgrade to 7.4.5+
FortiMail 7.2
7.2.0-7.2.7
Upgrade to 7.2.8+
FortiMail 7.0
7.0.0-7.0.8
Upgrade to 7.0.9+
FortiNDR 7.6
7.6.0
Upgrade to 7.6.1+
FortiNDR 7.4
7.4.0-7.4.7
Upgrade to 7.4.8+
FortiNDR 7.2
7.2.0-7.2.4
Upgrade to 7.2.5+
FortiNDR 7.0
7.0.0-7.0.6
Upgrade to 7.0.7+
FortiRecorder 7.2
7.2.0-7.2.3
Upgrade to 7.2.4+
FortiRecorder 7.0
7.0.0-7.0.5
Upgrade to 7.0.6+
FortiRecorder 6.4
6.4.0-6.4.5
Upgrade to 6.4.6+
FortiCamera 2.1
2.1.0-2.1.3
Upgrade to 2.1.4+
FortiCamera 2.0 / 1.1
All versions
Migrate to a fixed release
The technical trigger involves HTTP requests containing a specially crafted hash cookie. Independent reverse engineering of patched and unpatched Fortinet builds points to cookie parsing around an APSCOOKIE value containing fields such as Era, Payload and AuthHash. The vulnerable code path appears to decode attacker-controlled AuthHash data into a fixed-size stack buffer, while the patched version adds a length check.
That finding aligns with the severity rating: a network-reachable, unauthenticated memory corruption bug in an administrative interface gives attackers a direct path to code execution if exposed systems remain unpatched.
Crafted HTTP request
Portal/admin interface
Hash cookie parsing
Stack buffer overflow
Remote code execution
Credential theft and network scanning
Fortinet's indicators suggest attackers were not merely testing the bug. The observed activity included persistence- and credential-oriented behavior, including modifications to SSH-related configuration and the addition of files used to collect credentials.
Notable file and path indicators include:
Indicator
Significance
/bin/wpad_ac_helper
Main malware file reported in observed activity
/lib/libfmlogin.so
Malicious library used to log SSH usernames and passwords
/tmp/.sshdpm
File containing credentials gathered by the malicious SSH component
/bin/fmtest
Script used for network scanning
/var/spool/.sync
Output location for collected credentials
/etc/pam.d/sshd
Modified to load the malicious login-related library
/etc/httpd.conf
Modified to load a SOCKS-related module
/data/etc/crontab
Modified to collect sensitive FastCGI debug data
Administrators can check whether FastCGI debugging has been enabled with:
diag debug application fcgi
If the output shows general to-file ENABLED, Fortinet says that is not a default setting and may indicate compromise unless the organization intentionally enabled it.
Fortinet also reported the following IP addresses in connection with the observed activity:
Those addresses should be treated as threat-hunting leads, not as a complete map of attacker infrastructure. Organizations should correlate them with logs, appliance telemetry and local context before making blocking or incident-response decisions.
The key caveat is scope. Exploitation has been confirmed against FortiVoice, while the underlying vulnerability affects several other Fortinet product families. Publicly available information does not establish that FortiMail, FortiNDR, FortiRecorder or FortiCamera systems have also been exploited in the wild.
No public attribution has been made to a named threat actor, and ransomware use is listed as unknown. There is also no reliable public victim count.
For defenders, the priority is straightforward: identify internet-exposed Fortinet systems, patch affected versions, disable exposed administrative and portal interfaces where immediate upgrades are not possible, and hunt for the published log, file and configuration indicators. The combination of unauthenticated remote code execution, confirmed exploitation and credential collection makes CVE-2025-32756 an urgent edge-appliance vulnerability rather than a low-risk maintenance item.
