A critical stack-based buffer overflow vulnerability, CVE-2025-32756, has been disclosed by Fortinet, impacting multiple products including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. With a CVSS score of 9.6, this flaw allows remote unauthenticated attackers to execute arbitrary code or commands through specially crafted HTTP requests. The vulnerability is particularly dangerous because it grants full control over targeted systems without requiring authentication. Fortinet confirmed that the flaw is being actively exploited in the wild, particularly targeting FortiVoice deployments, prompting an immediate release of patches on May 13, 2025.

The attack chain observed in real-world exploitation involves reconnaissance, log erasure, and abuse of FastCGI debugging to capture credentials and hide traces of compromise. Threat actors were seen placing malicious files like wpad_ac_helper, libfmlogin.so, and tampered versions of busybox, which support credential theft and command execution. Cron jobs were scheduled to periodically extract sensitive data from FCGI debug logs and store it in hidden locations. Malicious configuration changes included modifications to system files such as /etc/pam.d/sshd and /etc/httpd.conf, allowing persistence and deeper system compromise.

Indicators of compromise (IoCs) identified by Fortinet include suspicious FastCGI errors in HTTPD logs, unauthorized file modifications, and six known malicious IP addresses. The attackers also enabled non-default debugging settings like fcgi debug level 0x80041 and general to-file ENABLED, which played a critical role in the credential capture mechanism. Additional artifacts such as libfmlogin.so and /tmp/.sshdpm were used for logging and storing stolen SSH credentials. These indicators provide valuable data for threat hunting and incident response.

The vulnerability affects a wide range of versions across Fortinet’s product line. Fortinet urges customers to apply patches immediately and, if unable to do so, to disable HTTP/HTTPS administrative access as a temporary mitigation. This attack underscores a continuing trend of critical vulnerabilities in network appliances being leveraged for espionage and systemic compromise, echoing previous threats like CVE-2024-55591 and CVE-2022-40684, which were also exploited by state-sponsored actors.