Logic scanner now available! Try it out
Back
CVE Analysis - 6 min read

Fortinet's Cookie Crumble: Analyzing CVE-2025-32756 Stack-Based Buffer Overflow

A critical stack-based buffer overflow in Fortinet products (CVE-2025-32756) allows remote unauthenticated attackers to execute arbitrary code via malicious HTTP cookies.

ZeroPath Security Research

ZeroPath Security Research

2025-05-13
Fortinet's Cookie Crumble: Analyzing CVE-2025-32756 Stack-Based Buffer Overflow

Fortinet's Cookie Crumble: Analyzing CVE-2025-32756 Stack-Based Buffer Overflow

Introduction

Fortinet devices, widely trusted for network security, now face a critical threat from CVE-2025-32756—a stack-based buffer overflow vulnerability enabling remote attackers to execute arbitrary code simply by sending malicious HTTP cookies. With a CVSS score of 9.8, this vulnerability demands immediate attention from security teams.

Affected Systems and Versions

  • FortiVoice: Versions 7.2.0, 7.0.0–7.0.6, 6.4.0–6.4.10
  • FortiRecorder: Versions 7.2.0–7.2.3, 7.0.0–7.0.5, 6.4.0–6.4.5
  • FortiMail: Versions 7.6.0–7.6.2, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.8
  • FortiNDR: Versions 7.6.0, 7.4.0–7.4.7, 7.2.0–7.2.4, 7.0.0–7.0.6
  • FortiCamera: Versions 2.1.0–2.1.3, 2.0.x, 1.1.x

Technical Information

The vulnerability (CWE-121) stems from improper bounds checking during HTTP request processing. Attackers exploit this by sending HTTP requests with specially crafted hash cookies, causing a stack overflow. This overflow allows attackers to overwrite critical memory addresses, facilitating arbitrary code execution with root-level privileges.

Attack Vector

Attackers remotely target exposed HTTP/HTTPS interfaces, injecting maliciously crafted cookies to trigger the overflow. Successful exploitation grants attackers full control over the compromised device, enabling further network penetration.

Patch Information

Fortinet has released patches addressing CVE-2025-32756. Organizations must update immediately to the versions specified in the official advisory FG-IR-25-254. If immediate patching is not possible, restrict HTTP access and deploy web application firewalls as interim measures.

Detection Methods

Organizations should audit HTTP logs for suspicious cookie patterns, specifically overly large or abnormal hash cookie values. Indicators of compromise include unusual HTTP request patterns and unexpected system processes or user accounts.

Vendor Security History

Fortinet has previously faced similar vulnerabilities, notably CVE-2023-33308 and CVE-2024-55591, highlighting recurring issues with buffer overflow and authentication bypass. While Fortinet typically responds promptly with patches, the frequency of vulnerabilities underscores the need for vigilant patch management.

References

Security teams must act swiftly to mitigate this critical vulnerability, ensuring robust defenses against potential exploitation.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo