External risk intelligence

Fortinet Products: Code Execution via HTTP Request

CVE advisoryKnown Exploit

CVE-2025-32756

A vulnerability in multiple Fortinet products allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. This could impact business operations and data integrity by allowing unauthorized command execution. Organizations should assess their exposure and apply vendor updates.

5Halo Surface Signal

Out-of-bounds Write

Fortinet Fortimail

7.0.0 to before 7.0.97.2.0 to before 7.2.87.4.0 to before 7.4.57.6.0 to before 7.6.37.0.0 to before 7.0.77.2.0 to before 7.2.57.4.0 to before 7.4.81.1.01.2.01.3.01.4.01.5.07...

External exposure likelihood

Halo Surface Signal score for CVE-2025-32756

This vulnerability affects internet-exposed infrastructure, including email gateways (FortiMail), network detection systems (FortiNDR), and communication appliances (FortiVoice, FortiCamera). These products are designed to be public-facing or sit at the network edge to monitor and manage external traffic, and the vulnerability is reachable via unauthenticated HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Multiple Fortinet products are affected by a vulnerability that could allow for unauthorized code execution. This flaw resides in how certain products handle HTTP requests, specifically with specially crafted hash cookies. The successful exploitation of this vulnerability could lead to the execution of arbitrary code or commands on the affected systems.

  • Vulnerable Fortinet products
  • Buffer overflow in HTTP requests
  • Arbitrary code execution

Attack Path

How an attacker could exploit the issue

A remote, unauthenticated attacker can exploit a stack-based buffer overflow vulnerability by sending specially crafted HTTP requests. This exploit can lead to the execution of arbitrary code or commands on the affected systems. The vulnerability is present in multiple Fortinet products, making them potential targets for attackers.

  • Exposure condition: Products are accessible via HTTP requests.
  • Attacker starting point: Remote, unauthenticated access.
  • Trigger and result: Specially crafted HTTP requests lead to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability affecting multiple Fortinet products allows unauthenticated attackers to execute arbitrary code. This is achieved by sending specially crafted HTTP requests that exploit a stack-based buffer overflow. The vulnerability has been observed to be actively exploited in the wild, indicating a significant threat. Given the potential for full system compromise and the ease of exploitation, organizations should treat this vulnerability with high urgency.

  • Likely attacker skill level: Low.
  • Required access or conditions: Network access.
  • Business risk or urgency: Critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability has been identified that could allow remote attackers to execute arbitrary code or commands on affected systems. This risk stems from a stack-based buffer overflow that can be triggered by specially crafted HTTP requests. Organizations should take immediate steps to understand their exposure and implement necessary protections.

  • Identify affected assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What Fortinet products are impacted by CVE-2025-32756, and what is the nature of the vulnerability?

CVE-2025-32756 affects multiple Fortinet products including FortiMail, FortiNDR, FortiRecorder, FortiVoice, and FortiCamera firmware. The vulnerability is a stack-based buffer overflow (CWE-121) that can be triggered by specially crafted HTTP requests, potentially allowing arbitrary code or command execution.

How can an attacker exploit the stack-based buffer overflow in affected Fortinet products?

An unauthenticated, remote attacker can exploit this vulnerability by sending HTTP requests with a specially crafted hash cookie. This exploit targets a weakness in how the affected products process HTTP requests, leading to a buffer overflow.

What is the scope of impact for CVE-2025-32756, and what are the potential consequences for an organization?

The scope is broad, affecting multiple Fortinet product lines accessible via HTTP. Successful exploitation can lead to arbitrary code execution, giving an attacker full control over the compromised system, posing a critical business risk.

Given that CVE-2025-32756 is on the CISA Known Exploited Vulnerabilities Catalog, what is the specific threat advisory for this...

This vulnerability is listed on the CISA KEV catalog due to active exploitation, making it a high-priority threat. Organizations must apply mitigations provided by Fortinet immediately or discontinue product use if fixes are unavailable, aligning with binding operational directives.

What are the recommended practical steps for organizations to respond to this Fortinet vulnerability?

Organizations should first identify all affected Fortinet assets within their environment. Next, they should take steps to reduce or isolate the risk associated with these assets. Finally, apply the vendor-provided fixes, verify their successful implementation, and continue to monitor the systems for any signs of compromise.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified