Vulnerability Description
CVE-2025-32756 is a critical, stack-based buffer overflow vulnerability with a CVSS Score of 9.8 affecting Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
If successfully exploited, it allows a remote unauthenticated attacker to execute arbitrary code or commands by sending HTTP requests with specially crafted hash cookies.
Threat Activity
Fortinet’s Product Security Incident Response Team (PSIRT) publicly disclosed evidence of threat activity on May 13, 2025. They released a security advisory consolidating related IoCs including suspicious log entries, IP addresses, modified system files, and configuration changes.
They recommended checking for signs of compromise using their provided CLI commands and inspecting specific system files. Additionally, they advised disabling the HTTP/HTTPS administrative interface of affected devices as a workaround until patches are applied.
This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 14, 2025. There is no evidence that a public proof-of-concept exploit exists at the time of writing this advisory.
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-32756 – CVSS 9.8 (critical) – assigned by Fortinet, Inc. |
| Vulnerability Description | A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. |
| Date of Disclosure | May 13, 2025 |
| Date Reported as Actively Exploited | May 13, 2025 |
| Affected Assets | FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera. |
| Vulnerable Software Versions | FortiCamera (versions 2.1.0–2.1.3, 2.0 all versions, 1.1 all versions)FortiMail (versions 7.6.0–7.6.2, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.8)FortiNDR (versions 7.6.0, 7.4.0–7.4.7, 7.2.0–7.2.4, 7.1 all versions, 7.0.0–7.0.6, 1.5 all versions, 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions)FortiRecorder (versions 7.2.0–7.2.3, 7.0.0–7.0.5, 6.4.0–6.4.5)FortiVoice (versions 7.2.0, 7.0.0–7.0.6, 6.4.0–6.4.10) |
| PoC Available? | A public PoC exploit has been published here. |
| Exploitation Status | Evidence of active exploitation was observed on May 13, 2025 by the FortiGuard PSIRT team and this vulnerability was added to CISA KEV on May 14, 2025. |
| Patch Status | This vulnerability has been patched in the following releases: FortiCamera (versions 2.1.4 and above)FortiMail (versions 7.6.3 and above, 7.4.5 and above, 7.2.8 and above, 7.0.9 and above)FortiNDR (versions 7.6.1 and above, 7.4.8 and above, 7.2.5 and above, 7.0.7 and above; all others require migration to a fixed release)FortiRecorder (versions 7.2.4 and above, 7.0.6 and above, 6.4.6 and above)FortiVoice (versions 7.2.1 and above, 7.0.7 and above, 6.4.11 and above) |
Censys Perspective
At the time of writing, Censys observed a total of 2,878 exposed Fortinet devices potentially vulnerable to this exploit, with the following breakdown by product (some devices had more than one product co-located on the same device):
- 1,410 exposed FortiVoice instances
- 1,163 exposed FortiMail instances
- 253 exposed FortiRecorder instances
- 48 exposed FortiNDR instances
- 4 exposed FortiCamera instances
Note that not all instances observed are necessarily vulnerable as we do not have specific versions available.
The queries below can be used to identify internet-facing instances of Fortinet Products mentioned in this advisory, but they are not necessarily vulnerable to the exploit.
host.services.software: (vendor:"Fortinet" and product:{"FortiVoice", "FortiNDR", "FortiRecorder", "FortiCamera", "FortiMail"}) or web.software: (vendor:"Fortinet" and product:{"FortiVoice", "FortiNDR", "FortiRecorder", "FortiCamera", "FortiMail"})services.software: (vendor="Fortinet" and product:{"FortiVoice", "FortiNDR", "FortiRecorder", "FortiCamera", "FortiMail"})host.services.software: (vendor:"Fortinet" and product:{"FortiVoice", "FortiNDR", "FortiRecorder", "FortiCamera", "FortiMail"}) or web_entity.instances.software: (vendor:"Fortinet" and product:{"FortiVoice", "FortiNDR", "FortiRecorder", "FortiCamera", "FortiMail"})Please note that these fingerprints were recently deployed and results may take up to 24 hours to fully propagate.
