As cybersecurity teams scrambled to respond, Fortinet revealed a critical zero-day vulnerability (CVE-2025-32756) on May 13, 2025, affecting multiple products in their security infrastructure lineup. The vulnerability, an unauthenticated stack-based buffer overflow, permits remote attackers to execute arbitrary code on affected systems without requiring authentication.
Security researchers have confirmed active exploitation in the wild, marking this as a significant threat to organizations utilizing Fortinet products. The vulnerability primarily impacts FortiOS and potentially FortiProxy, particularly targeting management interfaces of Fortinet firewalls. FortiVoice appliances are being specifically targeted by threat actors in current exploitation attempts.
Technical analysis reveals that successful exploitation allows threat actors to achieve complete system compromise, creating unauthorized administrative accounts and maintaining persistent access through SSL VPN authentication modifications. This pattern mirrors the January 2025 attacks that harnessed CVE-2024-55591 against similar Fortinet products.
Threat actors began exploiting the vulnerability immediately following its revelation, demonstrating sophisticated attack methodologies consistent with previous campaigns. The CVSS score of 9.6 underscores the critical severity of this security flaw. The exploitation chain begins with the buffer overflow vulnerability, followed by administrative account creation and strategic configuration changes to guarantee sustained access.
Organizations with internet-exposed management interfaces face particularly high risk, as these components present primary attack vectors. This latest security incident continues a concerning pattern of zero-day revelations and exploitations targeting Fortinet products throughout 2024-2025.
Previous vulnerabilities, including CVE-2024-21762 and CVE-2023-27997, have been systematically utilized for post-exploitation activities, highlighting the persistent nature of these security challenges. In response to the disclosure, multiple security firms including Rapid7 and Tenable have initiated tracking efforts, as CISA has issued an alert regarding the vulnerability.
Fortinet has released detailed Indicators of Compromise to aid in detection efforts, and security experts strongly advise organizations to immediately audit their exposure by checking for internet-facing management interfaces. Organizations are urged to implement available security measures and closely monitor their Fortinet infrastructure for signs of compromise.
