[[{“value”:”
A new proof-of-concept (PoC) exploit for a critical zero-day vulnerability affecting multiple Fortinet products raises urgent concerns about the security of enterprise network infrastructure.
The vulnerability, tracked as CVE-2025-32756, carries a maximum CVSS score of 9.8 and enables unauthenticated remote code execution through a stack-based buffer overflow flaw.
The vulnerability exists in the processing of the AuthHash cookie parameter within the /remote/hostcheck_validate endpoint across several Fortinet products.
The flaw stems from improper bounds checking when handling the “enc” parameter, allowing attackers to trigger buffer overflow conditions without requiring authentication credentials.
The Python-based exploit leverages a stack-based buffer overflow to achieve unauthenticated remote code execution. It operates by sending a malformed HTTP POST request to the /remote/hostcheck_validate endpoint, specifically manipulating the enc parameter within the AuthHash cookie.
python3 fortinet_cve_2025_32756_poc.py target_ip [-p port] [-d]Affected products include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera systems. The vulnerability enables remote attackers to execute arbitrary code or commands through specially crafted HTTP requests, potentially giving them complete control over compromised devices.
Active Exploitation Confirmed
Fortinet has confirmed that this vulnerability is being actively exploited in the wild, specifically targeting FortiVoice installations.
The company’s security team has identified specific threat actor activities following successful exploitation attempts, including network reconnaissance operations and system log manipulation.
Observed attack patterns include scanning of device networks, systematic erasure of system crash logs, and the enabling of fcgi debugging functionality to capture credentials from system or SSH login attempts.
These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.
Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59. Organizations should immediately block these addresses and monitor for connections from these sources.
The attackers have deployed multiple malicious files on compromised systems, including /bin/wpad_ac_helper as the primary malware component, modified crontab entries to harvest sensitive data, and a malicious library /lib/libfmlogin.so designed to capture SSH credentials. These modifications represent a comprehensive persistence strategy aimed at long-term access maintenance.
Fortinet has released security patches for all affected products. Organizations must immediately update to the following minimum versions: FortiVoice 7.2.1+, 7.0.7+, or 6.4.11+; FortiMail 7.6.3+, 7.4.5+, 7.2.8+, or 7.0.9+; FortiNDR 7.6.1+, 7.4.8+, 7.2.5+, or 7.0.7+; FortiRecorder 7.2.4+, 7.0.6+, or 6.4.6+; and FortiCamera 2.1.4+.
As an interim workaround, organizations can disable HTTP/HTTPS administrative interfaces on affected devices. However, this temporary measure should not replace immediate patching efforts.
The availability of working exploit code significantly increases the risk profile for unpatched systems, making urgent remediation critical for maintaining network security integrity.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post PoC Exploit Released for Fortinet 0-Day Vulnerability that Allows Remote Code Execution appeared first on Cyber Security News.
“}]]
Read More Cyber Security News