Fortinet 0-Day Exploit Released as Attacks Surge

A publicly available proof-of-concept (PoC) exploit for a critical zero-day vulnerability in multiple Fortinet products has heightened concerns over enterprise network security. The flaw, identified as CVE-2025-32756 with a CVSS score of 9.8, enables unauthenticated remote code execution via a stack-based buffer overflow in the `/remote/hostcheck_validate` endpoint. It originates from improper bounds checking of the “enc” parameter in the AuthHash cookie.

The Python-based exploit allows attackers to execute arbitrary code by sending crafted HTTP POST requests. Affected systems include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

Fortinet confirmed active exploitation targeting FortiVoice, with threat actors conducting reconnaissance, erasing logs, and deploying credential-stealing malware. Indicators of compromise include specific IP addresses and malicious files such as `/bin/wpad_ac_helper` and `/lib/libfmlogin.so`.

Patches have been released, and organizations are urged to update immediately. As a temporary measure, disabling HTTP/HTTPS admin interfaces is advised until systems are fully patched.