CVE-2025-32756

CRITICAL KEV RANSOMWARE

Fortinet Fortimail < 7.0.9 - Out-of-Bounds Write

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2025-32756 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 14, 2025, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including kn0x0x, cybersecplayground, exfil0.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-32756, a critical stack-based buffer overflow vulnerability in Fortinet products. The exploit demonstrates the vulnerability by triggering the buffer overflow condition in the AuthHash cookie processing of the `/remote/hostcheck_validate` endpoint.

Description

A stack-based buffer overflow vulnerability [CWE-121] vulnerability in Fortinet FortiCamera 2.1.0 through 2.1.3, FortiCamera 2.0 all versions, FortiCamera 1.1 all versions, FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.7, FortiNDR 7.2.0 through 7.2.4, FortiNDR 7.0.0 through 7.0.6, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0.0 through 7.0.5, FortiRecorder 6.4.0 through 6.4.5, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6, FortiVoice 6.4.0 through 6.4.10 allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

Exploits (6)

nomisec WORKING POC 162 stars
by kn0x0x · dos
https://github.com/kn0x0x/CVE-2025-32756-POC

This repository contains a proof-of-concept exploit for CVE-2025-32756, a critical stack-based buffer overflow vulnerability in Fortinet products. The exploit demonstrates the vulnerability by triggering the buffer overflow condition in the AuthHash cookie processing of the `/remote/hostcheck_validate` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera
No auth needed
Prerequisites: Network access to the target device · Target device must be running a vulnerable version of Fortinet software
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 7 stars
by cybersecplayground · poc
https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-32756.md

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup provides vulnerability overviews, proof-of-concept details, and mitigation recommendations.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)
No auth needed
Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec STUB 4 stars
by exfil0 · remote
https://github.com/exfil0/CVE-2025-32756-POC

The repository contains a partial Python-based PoC framework for CVE-2025-32756, targeting Fortinet software. The code includes extensive setup for logging, dependency checks, and utility functions but lacks the core exploit logic or payload delivery mechanism.

Classification
Stub 70%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Fortinet (version unspecified)
No auth needed
Prerequisites: Python 3.10+ · pwntools>=4.12 · requests>=2.32.2,<4.0 · packaging>=21.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by shan0ar · remote
https://github.com/shan0ar/cve-2025-32756

The repository contains a partial Python script for CVE-2025-32756, focusing on utility functions and setup without actual exploit logic. It includes dependencies like pwntools and requests but lacks payload delivery or vulnerability-specific code.

Classification
Stub 30%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Fortinet (version unspecified)
No auth needed
Prerequisites: Python 3.10+ · pwntools>=4.12 · requests>=2.32.2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by becrevex · poc
https://github.com/becrevex/CVE-2025-32756

The repository contains only a README.md file with minimal information about CVE-2025-32756, listing affected Fortinet products without technical details or exploit code.

Classification
Writeup 10%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by alm6no5 · dos
https://github.com/alm6no5/CVE-2025-32756-POC

This PoC demonstrates a stack-based buffer overflow in Fortinet products (CVE-2025-32756) via malformed AuthHash cookie processing in the `/remote/hostcheck_validate` endpoint. It crafts payloads to trigger the overflow but does not include a full RCE payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera (various versions)
No auth needed
Prerequisites: Network access to the target device · Vulnerable Fortinet product with exposed `/remote/hostcheck_validate` endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.1968
EPSS Percentile 95.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-05-14
VulnCheck KEV 2025-05-13
ENISA EUVD EUVD-2025-14705
Ransomware Use Confirmed
CWE
CWE-121 CWE-787
Status published
Products (14)
fortinet/forticamera_firmware 2.0.0 - 2.1.3
fortinet/fortimail 7.0.0 - 7.0.9
fortinet/fortindr 1.1.0
fortinet/fortindr 1.2.0
fortinet/fortindr 1.3.0
fortinet/fortindr 1.4.0
fortinet/fortindr 1.5.0
fortinet/fortindr 7.1.0
fortinet/fortindr 7.1.1
fortinet/fortindr 7.6.0
... and 4 more
Published May 13, 2025
KEV Added May 14, 2025
Tracked Since Feb 18, 2026