CVE-2025-32756

What is Fortinet FortiVoice?

Fortinet FortiVoice is an enterprise IP PBX and unified communications platform — the phone system for businesses. FortiMail is Fortinet's enterprise email security gateway. FortiNDR is Fortinet's network detection and response appliance for AI-based network threat analytics. FortiRecorder and FortiCamera are surveillance/video recording systems. All affected products share a common vulnerable code component in their HTTP request processing stack, making CVE-2025-32756 a cross-product vulnerability requiring patches across multiple Fortinet product lines.

Overview

CVE-2025-32756 is a critical stack-based buffer overflow vulnerability (CWE-121, CVSS 9.8) affecting Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. A single unauthenticated HTTP request triggers a stack overflow in the /remote/hostcheck_validate endpoint's handling of the enc parameter, enabling arbitrary code execution as root. Fortinet confirmed active in-the-wild exploitation against FortiVoice instances as a zero-day before the advisory was published. Attacker TTPs included persistent cron jobs for credential harvesting and log erasure to cover tracks. CISA added it to the KEV catalog one day after the advisory.

Affected Versions

Technical Details

The vulnerability (CWE-121: Stack-Based Buffer Overflow) is in the shared HTTP processing component across all affected products. Specifically, the /remote/hostcheck_validate endpoint processes the enc parameter from HTTP requests without adequate bounds checking. The parameter value is copied into a fixed-size stack buffer; an oversized value overflows the buffer and overwrites the saved return address on the stack. An attacker sends a single crafted HTTP or HTTPS request with a malicious enc value, redirecting execution to attacker-controlled code and running it as root.

The attack requires no authentication, no session, and no prior knowledge of the environment — only network access to the affected appliance's web interface (typically port 443).

Discovery

Fortinet's PSIRT confirmed active in-the-wild exploitation before the advisory; no external researcher is credited for the initial discovery.

Exploitation Context

Fortinet confirmed active zero-day exploitation of FortiVoice instances before the May 13, 2025 advisory. Observed attacker TTPs (post-exploitation):

• Network scanning from compromised devices targeting adjacent systems
• Cron job installation for persistent credential harvesting from SSH login processes
• fcgi debug mode activation to log credentials from SSH login events to /data/logfiles/fcgi.log
• Log erasure to remove exploitation artifacts (/var/log/messages, crash logs)
• Attack infrastructure IP addresses: 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, 218.187.69.59

CISA added CVE-2025-32756 to the KEV catalog on 14 May 2025. No specific named threat actor has been publicly attributed.

Remediation

1. Apply fixes for all affected Fortinet products in your environment — all five products share the vulnerable component and all require patching.
2. Check for attacker persistence indicators:
   • Review crontab entries on affected appliances for unauthorized jobs
   • Check if fcgi debug mode is enabled: review /etc/fcgi.conf for debug settings
   • Examine /data/logfiles/fcgi.log for captured credentials
   • Review syslog and system logs for erasure evidence
3. Block the attacker IPs at perimeter firewalls: 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, 218.187.69.59
4. Restrict web interface access — limit HTTPS management access to trusted administrative IP ranges for all affected appliances.
5. Rotate all credentials accessible from FortiVoice (VoIP extensions, admin accounts) and FortiMail (SMTP relay credentials, admin passwords) if exploitation is suspected.