CVE-2025-32756 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-14 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review HTTP access logs for suspicious hash cookie parameters, check for unauthorized access, verify system integrity, and scan for web shells or backdoors
Apply emergency patches immediately: FortiVoice 7.2.1+/7.0.7+/6.4.11+, FortiRecorder 7.2.4+/7.0.6+/6.4.6+, FortiMail 7.6.3+/7.4.5+/7.2.8+/7.0.9+, FortiNDR 7.6.1+/7.4.8+/7.2.5+/7.0.7+, FortiCamera 2.1.4+
Implement network-level protections: Deploy WAF rules to filter malicious HTTP requests, restrict management interface access to authorized networks only, monitor for anomalous HTTP traffic patterns
PATCH PRIORITY: CRITICAL - Treat as emergency due to active exploitation and unauthenticated remote code execution

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-32756 is a critical security vulnerability affecting multiple Fortinet products, which has been confirmed as exploited in the wild ^[1] ^[6].

Vulnerability Overview

Type: Stack-based buffer overflow (CWE-121) ^[4].
Severity: Critical (CVSSv3 scores reported between 9.6 and 9.8) ^[1] ^[5].
Impact: Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code or commands on the target system ^[2] ^[7].

Exploitation Details

Attack Method: Attackers exploit the vulnerability by sending specially crafted HTTP requests containing a malicious "hash" cookie to the target device ^[2] ^[7].
Requirements: The attack is remote and does not require authentication or user interaction ^[2] ^[1].
Active Exploitation: The vulnerability was disclosed on May 13, 2025, and was confirmed to be exploited in the wild at the time of disclosure ^[1] ^[6].
PoC Availability: Proof-of-concept (PoC) code has been made publicly available, which increases the risk of further exploitation ^[3].

Affected Products and Mitigation

The vulnerability affects several Fortinet security appliances, including:

FortiVoice
FortiMail
FortiNDR
FortiRecorder
FortiCamera

*Note: Specific version information is detailed in the official Fortinet PSIRT advisory ^[1].* Recommendation: Organizations using these products should consult the official [Fortinet PSIRT advisory (FG-IR-25-254)](https://fortiguard.fortinet.com/psirt/FG-IR-25-254) to identify affected versions and apply the necessary patches or configuration mitigations immediately ^[1].

Sources

Stack-based buffer overflow vulnerability in API - FortiGuard Labs
Attack Type, Unauthenticated ; Known Exploited, Yes ; CVSSv3 Score, 9.6 ; Impact, Execute unauthorized code or commands ; CVE ID, CVE-2025-32756. ... A stack-based buffer overflow vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow remote code execution. See aff…
CVE-2025-32756 Detail - NVD
A remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie. ... A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary code or commands via HTTP requests with specially crafted hash cookie. The v…
kn0x0x/CVE-2025-32756-POC: Proof of Concept for CVE ... - GitHub
Proof of Concept for CVE-2025-32756 - A critical stack-based buffer overflow vulnerability affecting multiple Fortinet products. ... CVE-2025-32756: Fortinet RCE PoC A proof-of-concept for the critical stack-based buffer overflow vulnerability (CVE-2025-32756) affecting Fortinet products.
CVE-2025-32756 : A stack-based buffer overflow vulnerability [CWE-121 ...
CVSS scores for CVE-2025-32756 ... CWE ids for CVE-2025-32756 CWE-121 Stack-based Buffer Overflow A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Stack-Based Buffer Overflow Vulnerability Affecting Multiple Fortinet ...
CVE-2025-32756 is a critical, stack-based buffer overflow vulnerability with a CVSS Score of 9.8 affecting Fortinet FortiVoice, FortiMail, FortiNDR, ... CVE-2025-32756 is a critical, stack-based buffer overflow vulnerability with a CVSS Score of 9.8 affecting Fortinet FortiVoice, FortiMail, FortiNDR…
Multiple Fortinet products CVE-2025-32756 exploited in the ... - Rapid7
On 5/13/25, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple FortiNet products. Learn more!…
CVE-2025-32756 - Critical Stack-Based Buffer Overflow in Fortinet ...
Overview CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting several Fortinet security appliances, including FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamera. This vulnerability can allow remote, unauthenticated attackers to execute arbitrary code or comma…