On May 13, 2025, Fortinet PSIRT published FG-IR-25-254 covering CVE-2025-32756, a stack-based buffer overflow affecting the HTTP portals of FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. The CVSS v3.1 score is 9.6, the bug is unauthenticated, and Fortinet confirmed in-the-wild exploitation against FortiVoice — the first widespread offensive operation against the FortiVoice product line in its history. CISA added CVE-2025-32756 to the Known Exploited Vulnerabilities catalog the same week. This is yet another reminder that "supporting" Fortinet products like FortiVoice and FortiCamera share enough code with FortiOS to inherit critical bugs, and most enterprise inventories grossly under-track them.
What is the bug?
The vulnerability lives in the management portal's authentication handler. When the device parses an HTTP request to certain administrative endpoints, a length-checked-but-not-bounds-validated strcpy writes user-controlled data into a fixed-size stack buffer in the cookieapi library. By sending a crafted POST request with an oversized APSCOOKIE value, an attacker overwrites the saved frame pointer and return address, then redirects execution into a ROP gadget chain.
Because the management daemon runs as root and the heap protections in older FortiOS builds do not include stack canaries on this specific binary, exploitation is reliable. Public exploit chains use a small ROP sled to call system() with an attacker-controlled command, dropping a reverse shell over TCP/443.
The bug class is CWE-121 (stack-based buffer overflow). FortiVoice runs a fork of the same web server code that has yielded CVE-2024-21762 (SSL VPN out-of-bounds write) and CVE-2023-27997 (heap overflow in sslvpnd), so security researchers consider the codebase to have a structurally hostile dependency on strcpy/memcpy with attacker-controlled lengths.
How is it exploited?
Exploitation requires only a reachable HTTPS port on the management portal. The simplified request:
POST /remote/login HTTP/1.1
Host: voice.target.example
Cookie: APSCOOKIE=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...4096 bytes of shellcode/ROP...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
ajax=1&user=&pass=
The cookie length triggers the overflow, the ROP chain calls mkfifo/bash, and the attacker connects back. Fortinet's own IR write-up shared three distinct command-and-control IPs used in May 2025 attacks: 156.236.76.90, 218.187.69.244, and 198.105.127.124. The operators wiped crashlog, deleted relevant entries from /var/log/auth.log, and installed a small Bash script as /bin/fmtest that opened a backdoor SSH port.
Who is affected?
Affected products and versions:
- FortiVoice 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10
- FortiMail 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8
- FortiNDR 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6
- FortiRecorder 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5
- FortiCamera 2.1.0 through 2.1.3, 2.0.0 through 2.0.4, 1.1.0 through 1.1.5
Fixed in FortiVoice 7.2.1, FortiMail 7.6.3 / 7.4.5 / 7.2.8 / 7.0.9, FortiNDR 7.6.1 / 7.4.8 / 7.2.5 / 7.0.7, FortiRecorder 7.2.4 / 7.0.6 / 6.4.6, FortiCamera 2.1.4.
The most exposed product is FortiMail, deployed at thousands of mid-market enterprises as an inbound mail gateway with the management portal exposed because operators want to access it from the internet. FortiCamera is a smaller install base but particularly painful because the cameras frequently sit behind weak NAT rules with administrative ports open.
What does patching require?
Standard Fortinet firmware upgrade — but with one complication. The FortiCamera and FortiRecorder products are often deployed by physical security integrators who do not patch on a regular cadence. Security teams discovering a vulnerable FortiCamera on the corporate network frequently find that the device is owned by Facilities, not IT, and there is no patch automation contract. The Fortinet workaround until patching is to disable the HTTP/HTTPS administrative interfaces and manage the device only via the local console or out-of-band IPMI:
config system interface
edit "port1"
set allowaccess ping
next
end
This effectively takes the device off the management network until the upgrade window opens.
How do you detect exploitation?
The dominant forensic indicator is the presence of /bin/fmtest or any binary in /bin/ whose modification date is after April 2025 that is not part of the original firmware. Fortinet shipped a diagnose debug crashlog command that reveals overflow attempts even when the attacker truncates auth.log:
diagnose debug crashlog read
Look for entries containing Segmentation fault in cookieapi or stack traces referencing read_cookie_string. Cross-reference with HTTP access logs for unusually long APSCOOKIE values:
awk -F'APSCOOKIE=' '{ if (length($2) > 200) print $0 }' /var/log/httpd/access.log
A Suricata rule that fires on the network signature:
alert tls $EXTERNAL_NET any -> $HOME_NET 443 (msg:"FortiVoice CVE-2025-32756 oversized APSCOOKIE";
content:"APSCOOKIE="; nocase; isdataat:512,relative;
classtype:attempted-admin; sid:1099900; rev:1;)
CISA's added detection guidance includes monitoring the listed C2 IPs and inspecting for any new local user accounts created with system admin.
How Safeguard Helps
Safeguard treats Fortinet ancillary products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera) as first-class network assets, ingesting their firmware build identifiers into the SBOM graph alongside FortiGate. When CVE-2025-32756 was published on May 13, 2025, customers with FortiVoice or FortiCamera fleets that they had been historically blind to received discovery alerts within hours. Reachability analysis flags devices where the HTTPS management interface is exposed to non-management VLANs — the only configurations where exploitation is feasible — and Griffin AI cross-references CISA KEV inclusion to push the finding to the top of the action queue. Policy gates block deployment of any FortiVoice or FortiMail image below the fixed baseline, and Safeguard's IR runbook integrations file ServiceNow tickets directly with the Facilities team for FortiCamera assets, removing the cross-org handoff friction that historically delayed these patches by weeks.