CVE-2025-32756 PoC — Fortinet多款产品 安全漏洞

Source

Associated Vulnerability

Description

CVE-2025-32756-POC

Readme

# Blackash-CVE-2025-32756

# CVE-2025-32756 'Fortinet' RCE PoC ‼️

# Description:

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions `7.2.0`, `7.0.0` through `7.0.6`, `6.4.0` through `6.4.10`, FortiRecorder versions `7.2.0` through `7.2.3`, `7.0.0` through `7.0.5`, `6.4.0` through `6.4.5`, FortiMail versions `7.6.0` through `7.6.2`, `7.4.0` through `7.4.4`, `7.2.0` through `7.2.7`, `7.0.0` through `7.0.8`, FortiNDR versions `7.6.0`, `7.4.0` through `7.4.7`, `7.2.0` through `7.2.4`, `7.0.0` through `7.0.6`, FortiCamera versions `2.1.0` through `2.1.3`, 2.0 all versions, 1.1 all versions, allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

# Metrics:

CVSS 3.x Severity and Vector Strings:

CNA:  `Fortinet`, Inc. 'Base Score': 9.8 CRITICAL ⚫ Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The vulnerability exists in the processing of the enc parameter in the /remote/hostcheck_validate endpoint, where improper bounds checking allows buffer overflow.

# Usage:

```
python3 CVE-2025-32756.py target_ip [-p port] [-d]
```

# Arguments:

+ `target_ip`: Target Fortinet device
+ `-p, --port`: Target port (default: 443)
+ `-d, --debug`: Enable debug output

# Mitigation:

Update to patched versions:

+ `FortiVoice`: 7.2.1+, 7.0.7+, 6.4.11+
+ `FortiMail`: 7.6.3+, 7.4.5+, 7.2.8+, 7.0.9+
+ `FortiNDR`: 7.6.1+, 7.4.8+, 7.2.5+, 7.0.7+
+ `FortiRecorder`: 7.2.4+, 7.0.6+, 6.4.6+
+ `FortiCamera`: 2.1.4+

# Disclaimer ⚠️

For educational and research purposes only. Use only against systems you own or have permission to test.

File Snapshot

 [4.0K]  /data/pocs/bbcfc758b8ea2f7270f05d3561ba400cb31ee394
├── [7.9K]  CVE-2025-32756.py
├── [1.6K]  README.md
└── [  34]  requirements.txt

0 directories, 3 files

Remarks