Successful exploitation of CVE-2025-32756 allows attackers to execute arbitrary commands remotely without credentials, potentially leading to full system compromise and data breaches. Threat actors have actively targeted FortiVoice and other Fortinet products by enabling fcgi debugging and deleting system logs to capture sensitive information. #Fortinet #FortiVoice #FortiMail #FortiNDR #FortiRecorder #FortiCamera
Keypoints
- The vulnerability CVE-2025-32756 affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera across various versions.
- Attackers can exploit the vulnerability remotely without valid credentials by sending specially crafted HTTP requests to systems with the FastCGI debugging option enabled.
- Successful exploitation enables arbitrary command execution, leading to full control over affected systems, data breaches, and lateral movement to other internal assets.
- Threat actors actively conducted network scans, deleted crash logs, and enabled FCGI debugging to harvest credentials from the system and SSH login attempts.
- Indicators of Compromise include altered or newly added files such as /bin/wpadachelper, /lib/libfmlogin.so, and malicious cron jobs that extract sensitive information from fcgi.debug logs.
- Fortinet recommends immediate patching of vulnerable systems or disabling HTTP/HTTPS administrative interfaces as a temporary mitigation.
- Detection methods involve verifying if fcgi debugging is enabled using CLI commands and monitoring specific log entries for FastCGI communication errors and unexpected signals.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used to execute arbitrary commands on affected systems after enabling fcgi debugging. (“…allows an attacker to execute arbitrary commands…”)
- [T1071] Application Layer Protocol – Attackers send HTTP requests to remotely exploit vulnerabilities without valid credentials. (“The attack can be performed remotely… by sending HTTP requests to the vulnerable system.”)
- [T1005] Data from Local System – Threat actors collected credentials from fcgi.debug logs and SSH login attempts. (“…enabling FCGI debugging to capture credentials from the system or SSH login attempts.”)
- [T1112] Modify Registry or Configuration Setting – Enabled the fcgi debugging option which is not a default setting, indicating malicious configuration changes. (“The flaw arises from the fcgi debugging option being enabled on the affected system.”)
- [T1069] Permission Groups Discovery – Scanned network to find additional vulnerable devices and expand access. (“…threat actor was observed conducting network scans on affected devices.”)
- [T1070] Indicator Removal on Host – Deleted system crash logs to cover tracks. (“…deleting system crash logs…”)
- [T1036] Masquerading – Added malicious files such as /bin/wpadachelper and /lib/libfmlogin.so to disguise malware as legitimate processes. (“[Added File] /bin/wpadachelper – main malware file”)
Indicators of Compromise
- [IP Addresses] Threat actor infrastructure – 198.105.127.124, 43.228.217.173, 156.236.76.90, 218.187.69.244, and others used to conduct attacks and scans.
- [File Hashes] Malicious files deployed on compromised systems – 4410352e110f82eabc0bf160bec41d21 (/bin/wpadachelper), 364929c45703a84347064e2d5de45bcd (/lib/libfmlogin.so), 2c8834a52faee8d87cff7cd09c4fb946 (/bin/fmtest), and additional busybox hashes.
- [File Names] Added or modified system files indicating compromise – /bin/wpadachelper, /lib/libfmlogin.so, /bin/busybox, /tmp/.sshdpm, /etc/pam.d/sshd, /etc/httpd.conf, /var/spool/.sync.
- [Log Entries] FastCGI errors and warnings – messages like “mod_fcgid: error reading data, FastCGI server closed connection” and unexpected signal 11 errors in HTTP daemon trace logs.
Read more: https://www.truesec.com/hub/blog/cve-2025-32756-fortivoice-zero-day-buffer-overflow-exploited