Researchers Drop PoC for Fortinet CVE-2025-32756, Urging Quick Patching

Researchers have released PoC for CVE-2025-32756, a severe security flaw, that is actively being exploited in Fortinet products like FortiMail and FortiCamera. This stack-based buffer overflow allows unauthenticated remote code execution.

A security vulnerability tracked as CVE-2025-32756 is currently being actively used by attackers, affecting several Fortinet products. The Fortinet Product Security Team discovered this vulnerability based on observed threat activity, which included network scanning, credential logging, and log file wiping.

Fortinet’s security team, FortiGuard Labs, then issued an alert on May 13, confirming they had seen this vulnerability being exploited in real-world attacks. A variety of Fortinet products are at risk, including FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice. On May 14, it was added to the CISA KEV catalogue.

Researchers at Horizon3.ai, including Jimi Sebree, have been investigating this flaw and published a basic proof of concept, a simple demonstration of how the vulnerability can be used. Their work shared with Hackread.com, involved looking at both patched and unpatched versions of FortiMail to pinpoint the exact location of the flaw.

They discovered the issue resides in a shared library and is related to how the system handles a specific session management cookie called APSCOOKIE, specifically an issue with decoding and handling the AuthHash field within this cookie. The vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.

****What’s the Problem?****

CVE-2025-32756 is basically a flaw in the admin API where the system tries to cram too much data into a limited space. When that happens, the extra data spills over into areas it shouldn’t, which can give attackers a way to sneak in their own malicious code, and they can do this without even needing a password.

This type of flaw is old, suggestive of hacking techniques from the 1990s. The severity of this issue, nonetheless, is extremely high, scoring 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), which measures the potential impact of security risks.

****Urgent Call for Updates****

Given that attackers are already using this vulnerability, and many vulnerable Fortinet systems are exposed on the internet, experts are strongly advising all users to update their products or apply recommended fixes as soon as possible.

FortiGuard Lab’s advisory provides detailed information on how to identify if a system is affected and what steps to take to protect against this serious threat. One suggested mitigation, if immediate patching is not possible, is to disable the HTTP/HTTPS administrative interfaces. Given the ease of exploitation, immediate action is crucial to protect affected systems.