Critical Vulnerabilities in Multiple Fortinet Products

Critical Vulnerabilities in Multiple Fortinet Products

Background

Fortinet has released security updates addressing a critical vulnerability (CVE-2025-32756) affecting their products. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

Impact

Successful exploitation of the stack-based overflow vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

Known Exploitation

The vulnerability is reportedly being actively exploited in Fortinet products, including FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice.

Affected Products

The vulnerability affects the following versions:

• Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10

• FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5

• FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8

• FortiNDR versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6

• FortiCamera versions 2.1.0 through 2.1.3, all versions of 2.0 and 1.1

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately. 

Workaround

For users who are unable to immediately upgrade to a fixed version, Fortinet recommends disabling the HTTP/HTTPS administrative interface. 

Indicators of Compromise

Logs

Output of CLI command 'diagnose debug application httpd display trace-log':

[x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection

[x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11

IP Addresses

198.105.127.124

43.228.217.173

43.228.217.82

156.236.76.90

218.187.69.244

218.187.69.59

Modified Settings

To verify if fcgi debugging is enabled on your system, use the following CLI command:

diag debug application fcgi

If the output shows "general to-file ENABLED", it means fcgi debugging is enabled on your system:

fcgi debug level is 0x80041

general to-file ENABLED

This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise

Files

The following system files may have been modified or added by the TA:

- [Added File] /bin/wpad_ac_helper - MD5:4410352e110f82eabc0bf160bec41d21 - main malware file

- [Added File] /bin/busybox - MD5:ebce43017d2cb316ea45e08374de7315 and 489821c38f429a21e1ea821f8460e590

- /data/etc/crontab - A line was added to grep sensitive data from fcgi.debug:

0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug

- /var/spool/cron/crontabs/root - A line was added to backup fcgi.debug:

0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug

- [Added File] /var/spool/.sync - Credentials are gathered into this file by the cron jobs above

- /etc/pam.d/sshd - Lines were added to it to include malicious libfmlogin[.]so below

- [Added File] /lib/libfmlogin[.]so - MD5:364929c45703a84347064e2d5de45bcd - malicious library that logs username and password using SSH login

- [Added File] /tmp/.sshdpm - contains credentials gathered by /lib/libfmlogin[.]so above

- [Added File] /bin/fmtest - MD5: 2c8834a52faee8d87cff7cd09c4fb946 - Script to scan the network

- /etc/httpd.conf - A line was added to include socks[.]so: LoadModule socks5_module modules/mod_socks5[.]so

References:

https://fortiguard.fortinet.com/psirt/FG-IR-25-254

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/

https://www.cve.org/CVERecord?id=CVE-2025-32756

https://nvd.nist.gov/vuln/detail/CVE-2025-32756