Threat Research

CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Rapid7
CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products
EXTRACT IOC
Fortinet disclosed a critical unauthenticated stack-based buffer overflow vulnerability (CVE-2025-32756) affecting multiple products, allowing remote code execution by attackers. This vulnerability has been exploited in the wild targeting FortiVoice appliances, impacting several Fortinet products. #Fortinet #FortiVoice

Keypoints

  • Fortinet disclosed CVE-2025-32756, a critical stack-based buffer overflow vulnerability rated CVSS 9.6, affecting FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera products.
  • The vulnerability allows unauthenticated remote attackers to execute remote code on vulnerable devices.
  • Exploitation in the wild has been confirmed, with threat actors specifically targeting FortiVoice appliances.
  • Observed malicious activities include network scanning, credential logging, and log file deletion.
  • Fortinet has released patches and migration guidance for all affected and supported product versions.
  • For unsupported versions, Fortinet advises migration to fixed releases or disabling the HTTP(S) administration interface as a temporary mitigation.
  • Security tools from Rapid7, such as InsightVM and Nexpose, will provide unauthenticated checks to assess exposure to this vulnerability starting May 14, 2025.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The vulnerability enables remote code execution, allowing attackers to run arbitrary commands on vulnerable Fortinet appliances (“…unauthenticated remote attacker to achieve remote code execution…”).
  • [T1046] Network Service Scanning – Observed threat activity included network scanning to identify vulnerable FortiVoice devices (“…additional network scanning…”).
  • [T1005] Data from Local System – Attackers engaged in credential logging to capture sensitive information from compromised devices (“…credential logging…”).
  • [T1070] Indicator Removal on Host – Threat actors wiped log files to cover tracks after exploitation (“…log file wiping…”).

Indicators of Compromise

  • [File Names] Vulnerable product versions – Examples include FortiVoice 7.2 and 7.0, FortiRecorder 7.2 and 7.0, and other impacted versions mentioned for patching.
  • [Networks / IPs] Network scanning activity context – Specific IP addresses were not disclosed, but scanning behavior was reported in relation to FortiVoice appliances.
  • [Credentials] Credential logging context – Compromised authentication data was harvested during active exploitation.

Read more: https://blog.rapid7.com/2025/05/14/etr-multiple-fortinet-products-cve-2025-32756-exploited-in-the-wild/

Views: 49

Tags: HUNTING, DISCOVERY, VULNERABILITY, THREAT HUNTING, CVE, CREDENTIAL