🚨 Fortinet Zero-Day Alert: CVE-2025-32756 Exploited in the Wild

Fortinet has disclosed a critical zero-day vulnerability, CVE-2025-32756, affecting multiple products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability has been actively exploited in the wild, posing significant risks to organizations utilizing these systems. Organizations are suggested to patch immediately to prevent compromise.

For detailed information, refer to Fortinet’s official security advisory: FG-IR-25-254

🔍 Vulnerability Overview – CVE-2025-32756

• CVE ID: CVE-2025-32756
• Severity: Critical (CVSS 9.6)
• Description: A stack-based buffer overflow vulnerability in the affected Fortinet products allows remote, unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests.

🎯 Affected Products and Versions – CVE-2025-32756

• FortiVoice: Versions 6.0.0 through 7.2.0
• FortiMail: Versions 7.0.0 through 7.6.2
• FortiNDR: Versions 7.0.0 through 7.6.0
• FortiRecorder: Versions 6.0.0 through 7.2.3
• FortiCamera: Versions 1.1 through 2.1.3

Fortinet has released patches for these vulnerabilities. Users are strongly advised to update to the latest versions immediately.

For a comprehensive list of affected versions, see Fortinet’s advisory: FG-IR-25-254.

🛡️ Exploitation Details

Fortinet has observed active exploitation of this vulnerability, particularly targeting FortiVoice systems. Threat actors have been noted to perform network scans, erase system crash logs, and enable debugging features to capture authentication credentials.

🧩 Indicators of Compromise (IOCs)

The following artifacts were identified by Fortinet as signs of active exploitation of CVE-2025-32756. Organizations running affected Fortinet products should investigate for these IOCs.

📄 Log-Based Indicators

Review httpd trace logs using the command:

luaCopyEditdiagnose debug application httpd display trace-log

Look for entries resembling:

lessCopyEdit[x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection
[x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11

🌐 Threat Actor IP Addresses

Block and monitor for any outbound/inbound communication with the following IPs:

• 198.105.127.124
• 43.228.217.173
• 43.228.217.82
• 156.236.76.90
• 218.187.69.244
• 218.187.69.59

⚙️ Modified Configuration or Debug Settings

Run the command:

nginxCopyEditdiag debug application fcgi

If output shows:

pgsqlCopyEditfcgi debug level is 0x80041
general to-file ENABLED

…then fcgi debugging has been enabled, which is not a default setting and may indicate compromise.

🗃️ Malicious Files and Persistence Mechanisms

Check for the presence or modifications of the following files:

These indicators suggest a sophisticated compromise chain, including credential harvesting, network scanning, persistence, and log manipulation. Printable version of these IOCs is available at this link: Fortinet_CVE-2025-32756_IOC_Reference_Sheet.pdf

We have compiled some sample SIEM queries for various SIEM providers and query languages below to search for these IOCs. These are meant to help speed up your investigation, please adjust the queries to suit your needs specifically.

### 🔍 SIEM Query Examples for Detecting Fortinet CVE-2025-32756 IOCs

---

## 🔗 IP Address-Based Detection

**Suspicious IP Addresses:**
```
198.105.127.124
43.228.217.173
43.228.217.82
156.236.76.90
218.187.69.244
218.187.69.59
```

### Splunk
```spl
index=* sourcetype=* ("198.105.127.124" OR "43.228.217.173" OR "43.228.217.82" OR "156.236.76.90" OR "218.187.69.244" OR "218.187.69.59")
```

### Elastic (KQL)
```kql
network.destination.ip : ("198.105.127.124" or "43.228.217.173" or "43.228.217.82" or "156.236.76.90" or "218.187.69.244" or "218.187.69.59")
```

### Azure Sentinel (KQL)
```kql
CommonSecurityLog
| where DestinationIP in ("198.105.127.124", "43.228.217.173", "43.228.217.82", "156.236.76.90", "218.187.69.244", "218.187.69.59")
```

### Wazuh
```json
{
  "rule": {
    "description": "Fortinet CVE-2025-32756 IP IOC",
    "condition": "any",
    "field": "srcip",
    "match": ["198.105.127.124", "43.228.217.173", "43.228.217.82", "156.236.76.90", "218.187.69.244", "218.187.69.59"]
  }
}
```

---

## 📄 Log-Based Indicators
**Sample Error Strings:**
- `mod_fcgid: error reading data, FastCGI server closed connection`
- `mod_fcgid: process /migadmin/www/fcgi/admin.fe exit(communication error)`

### Splunk
```spl
index=* sourcetype=syslog "mod_fcgid" AND ("error reading data" OR "exit(communication error)")
```

### Elastic (KQL)
```kql
message : "*mod_fcgid*" and message : ("*error reading data*" or "*exit(communication error)*")
```

### Azure Sentinel (KQL)
```kql
Syslog
| where SyslogMessage has "mod_fcgid" and (SyslogMessage has "error reading data" or SyslogMessage has "exit(communication error)")
```

---

## ⚙️ Debug Setting Change: `fcgi debugging` Enabled

**Indicators:**
- `fcgi debug level is 0x80041`
- `general to-file ENABLED`

### Splunk
```spl
index=* sourcetype=* "fcgi debug level is 0x80041" OR "general to-file ENABLED"
```

### Elastic (KQL)
```kql
message : "fcgi debug level is 0x80041" or message : "general to-file ENABLED"
```

---

## 🗃️ File Creation Events (Audit/EDR Logs)

**Files of Interest:**
- `/bin/wpad_ac_helper`
- `/bin/busybox`
- `/lib/libfmlogin.so`
- `/tmp/.sshdpm`
- `/bin/fmtest`

### Splunk (with file integrity monitoring logs)
```spl
index=* ("/bin/wpad_ac_helper" OR "/bin/busybox" OR "/lib/libfmlogin.so" OR "/tmp/.sshdpm" OR "/bin/fmtest")
```

### Elastic (KQL)
```kql
file.path : ("/bin/wpad_ac_helper" or "/bin/busybox" or "/lib/libfmlogin.so" or "/tmp/.sshdpm" or "/bin/fmtest")
```

---

## 📋 Crontab Monitoring

### Elastic (KQL)
```kql
process.command_line : ("*grep -rn passw /var/spool/crashlog/fcgi.debug*" or "*cat /dev/null >/var/spool/crashlog/fcgi.debug*")
```

### Splunk
```spl
index=* "crontab" AND ("grep -rn passw" OR "fcgi.debug")
```

✅ Recommended Actions

1. Immediate Patching: Update all affected Fortinet products to the latest versions as provided in Fortinet’s security advisory.
2. Restrict Access: Limit external access to management interfaces and ensure they are not exposed to the internet.
3. Monitor Systems: Implement continuous monitoring for unusual activities and potential IOCs.
4. Review Logs: Regularly audit system logs for any anomalies or unauthorized changes.

Fortinet has released patches addressing this vulnerability. Details are available in their security advisory: FG-IR-25-254.

🔐 Strengthen Your Cybersecurity Posture

Given the critical nature of this vulnerability and its active exploitation, it’s imperative to ensure your systems are protected. Our Patch Management Services can assist in timely updates and continuous monitoring to safeguard your infrastructure against such threats. In addition, our 24/7/365 MXDR and proactive threat hunting can help identify indicators of compromise and suspicious activity quickly, allowing for rapid response zero-day vulnerabilities.

Don’t leave your systems exposed. Our expert team can help you patch vulnerabilities promptly and monitor for threats continuously. Learn more about our Patch Management Services.