You are currently viewing FortiFlaw: Critical Stack-Based Buffer Overflow in Multiple Fortinet Products

FortiFlaw: Critical Stack-Based Buffer Overflow in Multiple Fortinet Products

A critical zero-day vulnerability, tracked as CVE-2025-32756 and assigned a CVSS score of 9.8, has been discovered in several Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests.

The vulnerability is actively exploited in the wild, particularly targeting FortiVoice systems. While the full scale of these attacks and the identity of the threat actors remain unclear, observed activity suggests a high level of sophistication. Attackers have been seen performing network scans, erasing system crash logs, and enabling fcgi debugging, a technique used to capture credentials from the system or intercept SSH login attempts.

Technical Details

The root cause of this vulnerability lies in improper bounds checking during HTTP request processing. Bounds checking ensures input data does not exceed the allocated memory space. In this case, the flaw occurs due to insufficient validation of specific fields within HTTP requests, such as headers, cookies, or parameters.

Attackers can exploit this weakness by sending specially crafted HTTP cookies. Although these cookies are typically hashed to prevent tampering and improve security, the vulnerable systems fail to validate their size and content before processing correctly. An attacker triggers a stack-based buffer overflow by sending a cookie with a specially crafted hash value that exceeds the expected size or contains malicious data.

This overflow causes excess data to overwrite adjacent memory on the stack, allowing the attacker to manipulate the application’s execution flow and potentially execute arbitrary code or commands on the affected system without requiring authentication.

Some indicators of compromise for the above vulnerability include suspicious HTTP requests with abnormally large cookie values, unusual system processes or user accounts, enabled fcgi debugging not configured by administrators, erased or missing system crash logs.

Impact

This vulnerability can be particularly dangerous because it can be exploited remotely without authentication. Successful exploitation could allow malicious code to execute with the same privileges as the application, leading to unauthorized access, data exfiltration, or further compromise of the network.

Products affected

The issue affects the following products and versions –

  • FortiCamera versions 1.1, 2.0, 2.1.x
  • FortiMail versions 7.0.x, 7.2.x, 7.4.x, 7.6.x
  • FortiNDR versions 1.1, 1.2, 1.3, 1.4, 1.5, 7.1, 7.0.x, 7.2.x, 7.4.x, 7.6.x
  • FortiRecorder versions 6.4.x, 7.0.x, 7.2.x
  • FortiVoice versions 6.4.x, 7.0.x, 7.2.x

Solution and Mitigation

The issue can be fixed by upgrading the software to any of the following versions-

  • FortiCamera to version 2.1.4 or above.
  • FortiMail to version 7.0.9, 7.2.8, 7.4.5, 7.6.3 or above.
  • FortiNDR to version 7.0.7, 7.2.5, 7.4.8, 7.6.1 or above.
  • FortiRecorder to version 6.4.6, 7.0.6, 7.2.4 or above
  • FortiVoice to version 6.4.11, 7.0.7, 7.2.1 or above.

Instantly Fix Risks with SanerNow Patch Management

SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.