## https://sploitus.com/exploit?id=94C89595-0C09-5BFB-8B24-9E8E6AD74F9B
# Blackash-CVE-2025-32756
# CVE-2025-32756 'Fortinet' RCE PoC ‼️
# Description:
A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions `7.2.0`, `7.0.0` through `7.0.6`, `6.4.0` through `6.4.10`, FortiRecorder versions `7.2.0` through `7.2.3`, `7.0.0` through `7.0.5`, `6.4.0` through `6.4.5`, FortiMail versions `7.6.0` through `7.6.2`, `7.4.0` through `7.4.4`, `7.2.0` through `7.2.7`, `7.0.0` through `7.0.8`, FortiNDR versions `7.6.0`, `7.4.0` through `7.4.7`, `7.2.0` through `7.2.4`, `7.0.0` through `7.0.6`, FortiCamera versions `2.1.0` through `2.1.3`, 2.0 all versions, 1.1 all versions, allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.
# Metrics:
CVSS 3.x Severity and Vector Strings:
CNA: `Fortinet`, Inc. 'Base Score': 9.8 CRITICAL ⚫ Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The vulnerability exists in the processing of the enc parameter in the /remote/hostcheck_validate endpoint, where improper bounds checking allows buffer overflow.
# Usage:
```
python3 CVE-2025-32756.py target_ip [-p port] [-d]
```
# Arguments:
+ `target_ip`: Target Fortinet device
+ `-p, --port`: Target port (default: 443)
+ `-d, --debug`: Enable debug output
# Mitigation:
Update to patched versions:
+ `FortiVoice`: 7.2.1+, 7.0.7+, 6.4.11+
+ `FortiMail`: 7.6.3+, 7.4.5+, 7.2.8+, 7.0.9+
+ `FortiNDR`: 7.6.1+, 7.4.8+, 7.2.5+, 7.0.7+
+ `FortiRecorder`: 7.2.4+, 7.0.6+, 6.4.6+
+ `FortiCamera`: 2.1.4+
# Disclaimer ⚠️
For educational and research purposes only. Use only against systems you own or have permission to test.