Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited
Summary :
A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-32756 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-32756 | Fortinet Products | Critical |
Technical Summary
CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.
This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication.
The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-32756 | FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera | Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate. | Remote Code Execution, Full device takeover, persistence, data theft, log erasure. |
Remediation:
- Update Immediately: Apply the latest security patches provided by Fortinet.
- FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+
- FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+
- FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+
- FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+
- FortiCamera: 2.1.4+
- Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround
Indicator of Compromise
For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:
| IP Addresses | FileHash-MD5 |
| 156.236.76.90 | 2c8834a52faee8d87cff7cd09c4fb946 |
| 198.105.127.124 | 4410352e110f82eabc0bf160bec41d21 |
| 218.187.69.244 | 489821c38f429a21e1ea821f8460e590 |
| 218.187.69.59 | ebce43017d2cb316ea45e08374de7315 |
| 43.228.217.173 | 364929c45703a84347064e2d5de45bcd |
| 43.228.217.82 |
Conclusion:
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.
Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss.
These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.
Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.
References:
