CVE-2025-32756

Name of the Vulnerable Software and Affected Versions Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10 Fortinet FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5 Fortinet FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8 Fortinet FortiNDR versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 Fortinet FortiCamera versions 2.1.0 through 2.1.3, 2.0 all versions, 1.1 all versions

Description A stack-based buffer overflow vulnerability exists in Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests containing a manipulated hash cookie. The vulnerability resides in the AuthHash cookie processing, specifically within the cookieval unwrap() function, where insufficient input validation leads to a buffer overflow. This allows attackers to overwrite critical stack values, including the return address, and ultimately gain control of the system. This vulnerability is actively being exploited in the wild. Approximately 39.4K+ services are found to be affected yearly. The vulnerability is tracked as CVE-2025-32756 and has a CVSS score of 9.6 to 9.8. Attackers are scanning networks, stealing credentials, deleting logs, and establishing persistence. The /remote/hostcheck validate API endpoint is involved in the exploitation.

Recommendations FortiVoice versions prior to 7.2.0 FortiRecorder versions prior to 7.2.0 FortiMail versions prior to 7.6.0 FortiNDR versions prior to 7.6.0 FortiCamera versions prior to 2.1.0 Apply the security updates released by Fortinet to address CVE-2025-32756.