09.06.2025
2 min
582
Massive RCE attack already in action Researchers have published a PoC exploit for the critical 0-day vulnerability CVE-2025-32756 in Fortinet products. The vulnerability allows remote unauthenticated code execution (RCE) via a buffer overflow error in /remote/hostcheck_validate.
Exploitation is already in full swing. The vulnerability affects FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera and allows an attacker to take complete control of the device. The error lies in the processing of the enc parameter in the AuthHash cookie, where proper bounds checking is missing. The Python exploit sends a specially crafted POST request that causes a buffer overflow without requiring any authentication. Fortinet confirmed that the attacks are already underway: after compromise, attackers actively delete logs, enable SSH data interception, change crontab and leave backdoors like /bin/wpad_ac_helper. Fortinet has already released patches for all the mentioned products.
Minimum safe versions: FortiVoice 7.2.1+, FortiMail 7.6.3+, FortiNDR 7.6.1+, FortiRecorder 7.2.4+, FortiCamera 2.1.4+. As a temporary measure, you can disable HTTP/HTTPS admin interfaces. But the main thing is to immediately update the systems. Known IP addresses of the attackers: 198.105.127.124, 43.228.217.173, 156.236.76.90, etc. – they must be blocked. Evidence of full network reconnaissance and persistent system embedding has been identified. The availability of a working exploit in the public domain increases the risk of mass compromise of unpatched systems.
Organizations should immediately update Fortinet products, monitor for potential compromises, and take steps to minimize the risk of data leakage. A vulnerability with a CVSS score of 9.8 requires immediate response.
