Multiple critical vulnerabilities have been discovered in various Fortinet products, with the most severe allowing arbitrary code execution by remote attackers. Immediate patching and security best practices are recommended to protect affected Fortinet systems from exploitation. #Fortinet #FortiVoice #FortiOS
Keypoints
- Fortinet disclosed multiple vulnerabilities affecting several product lines including FortiVoice, FortiOS, FortiNDR, FortiCamera, FortiManager, and others, with CVE-2025-32756 being the most critical.
- The most severe vulnerability (CVE-2025-32756) is a stack-based buffer overflow allowing remote arbitrary code execution via crafted HTTP requests.
- Other issues include authentication bypasses, buffer over-read, code injections, privilege escalations, sensitive information exposure, and improper authorization across different Fortinet products.
- Fortinet observed the active exploitation of CVE-2025-32756 specifically targeting FortiVoice in the wild.
- The risk assessment indicates high to medium severity for both government and business entities, with home users considered low risk.
- Recommendations include immediate application of Fortinet patches, implementation of vulnerability management processes, network segmentation, and the Principle of Least Privilege among others.
- Additional mitigations emphasize periodic penetration testing, automated patch and vulnerability scanning, and enabling anti-exploitation features on enterprise assets.
MITRE Techniques
- [TA0001] Initial Access – Exploiting public-facing applications to gain unauthorized access through vulnerabilities such as the stack-based overflow in FortiVoice and others. (‘A stack-based overflow vulnerability [CWE-121] in FortiVoice… may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.’)
- [T1190] Exploit Public-Facing Application – Remote code execution via crafted HTTP requests targeting Fortinet products to compromise systems. (‘…may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.’)
- [T1098] Account Manipulation – Authentication bypass vulnerability allowing attackers with knowledge of existing admin accounts to gain unauthorized device access. (‘…may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.’)
- [T1068] Exploitation for Privilege Escalation – Possible privilege escalation through local code injection and improper authorization flaws in FortiClient and FortiManager products. (‘An improper isolation… may allow an authenticated attacker to inject code…’ and ‘An Incorrect Authorization vulnerability… may allow a local attacker to escalate privileges.’)
- [T1083] File and Directory Discovery – Exploiting relative path traversal to perform arbitrary file writes in FortiClientEMS. (‘A Relative Path Traversal vulnerability… may allow a remote unauthenticated attacker to perform a limited arbitrary file write…’)
- [T1560] Archive Collected Data – Exposure of sensitive information through log files and application data leakage vulnerabilities. (‘…may allow an authenticated attacker… to view encrypted secrets via the FortiPortal System Log.’)
Indicators of Compromise
- [CVE Identifiers] Critical and lower severity vulnerability references including CVE-2025-32756 (stack overflow exploit), CVE-2025-22252 (authentication bypass), CVE-2025-46777 (log file exposure), among others.
- [Vulnerable Products] Fortinet product names linked to vulnerabilities such as FortiVoice, FortiOS, FortiClient, FortiManager, FortiNDR, and FortiCamera, indicating compromised system components.
- [Attack Vectors] Exploit methods include crafted HTTP requests, crafted CLI arguments, Electron environment variable injection, path traversal upload requests, and exploiting TACACS+ authentication mechanisms.