A stack-based buffer overflow in multiple Fortinet solutions is being actively exploited. The vulnerability allows unauthorized attackers to execute their own code via custom HTTP requests.
Fortinet warns of a critical vulnerability that can affect various solutions. The vulnerability, identified as CVE-2025-32756 or CWE-121 according to Fortinet’s own numbering, has already been exploited in practice on FortiVoice communication systems. FortiNDR, FortiRecorder, and FortiCamera are also said to be susceptible. The vulnerability was discovered by Fortinet’s own product security team after analyzing suspicious activities.
Through specially crafted HTTP requests, an attacker can execute arbitrary commands on the system without authentication. In a recorded attack, the attacker performed various actions: the network was scanned, crash logs were deleted, and FCGI debugging was enabled. This debugging allows for intercepting passwords from the system or via SSH login attempts.
read also
FortiSwitch vulnerability makes changing passwords child’s play
Fortinet shares a list of possible actions that may indicate a successful attack. These include modified system settings, log files, and added files, including malware that intercepts SSH passwords. Suspicious IP addresses are also shared.
Patch available
The vulnerability affects different software versions of the involved products. Fortinet has released updates or requests migration to a patched version. For FortiVoice, users must upgrade to version 7.2.1 or higher. A complete list of affected versions and their corresponding solutions is available.
As a temporary measure, Fortinet advises disabling the management interface via HTTP/HTTPS. Organizations using one of the affected products would do well to check their systems for signs of abuse. However, prompt patching is the best remedy.
In recent months, critical vulnerabilities have occurred more frequently in various Fortinet products, such as FortiGate and FortiSwitch. The most recent backdoor in FortiGate is an old vulnerability from 2022 that has resurfaced. Companies in the Benelux and France are also at risk.