Fortinet Zero-Day Under Attack: PoC Now Publicly Available

FortiGuard Labs released an urgent advisory detailing a critical vulnerability, CVE-2025-32756, affecting several Fortinet products, including FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice.

The vulnerability is a stack-based buffer overflow located within the administrative API, specifically in the handling of session cookies.

This flaw allows for unauthenticated remote code execution, making it a prime target for attackers.

The following day, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild1.

The vulnerability centers on the admin.fe CGI binary, which is accessible via the web server configured with mod_fcgid.

This configuration allows attackers to target the endpoint without risking a complete server crash, increasing the likelihood of successful exploitation.

A simple test using the curl The command confirms access to the vulnerable endpoint:

bashcurl -k -L -v https:///module/admin.fe

Technical Analysis: Exploiting the APSCOOKIE Field

A key aspect of the vulnerability lies in the processing of the APsCOOKIE session cookie, which contains three fields: Era, Payload, and AuthHash.

These fields are URL-encoded and used for session management within the admin interface.

The vulnerability specifically arises during the base64 decoding of the AuthHash field in the function cookieval_unwrap(), located in the shared library libhttputil.so1.

In the unpatched version, the code performs the following sequence:

ciVar2 = __isoc99_sscanf(param_1,"Era=%1d&Payload=%m[^&]&AuthHash=%m[^&]&",&Era,&Payload, &AuthHash);
input_size = strlen((char *)AuthHash);
iVar3 = EVP_DecodeUpdate(ctx,(uchar *)output_buffer,&output_size,AuthHash,(int)input_size);

The absence of a size check on AuthHash allows an attacker to supply a base64-encoded string that, when decoded, exceeds the allocated buffer size (16 bytes), resulting in a classic stack buffer overflow.

The patched version introduces a crucial size check:

cinput_size = strlen((char *)AuthHash);
if (input_size < 0x1e) {
    // safe to decode
}

This change prevents oversized input from overflowing the buffer, effectively mitigating the vulnerability.

Impact, Exploitability, and Mitigation

The exploitability of CVE-2025-32756 is significant due to the lack of authentication required and the ease of triggering the overflow.

Attackers can overwrite critical stack values, including saved registers and the return address (RIP), potentially gaining full control over the execution flow.

This can lead to arbitrary code execution with the privileges of the affected service.

A proof-of-concept exploit involves sending a specially crafted AuthHash value, such as a long string of base64-encoded null bytes, to the vulnerable endpoint.

Security researchers have confirmed that this approach can reliably trigger the overflow, and coverage for this vulnerability has already been added to security platforms like NodeZero.

FortiGuard Labs strongly recommends that all users update their Fortinet products or apply available mitigations immediately.

The advisory provides detailed indicators of compromise and mitigation steps.

Given the ongoing exploitation and the critical nature of the flaw, prompt action is essential to secure affected systems.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!