Unauthenticated RCE in Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-32756, a stack-based buffer overflow vulnerability affecting multiple Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera) across several versions. The exploit is implemented in a single Python script (CVE-2025-32756.py), which constructs and sends specially crafted HTTP POST requests to the /remote/hostcheck_validate endpoint of a target device. The payload is designed to overflow a stack buffer by abusing the enc parameter, potentially leading to a crash, denial of service, or remote code execution. The script also interacts with the /remote/info endpoint to retrieve a salt value required for payload construction. The repository includes a README.md with detailed vulnerability, usage, and mitigation information, and a requirements.txt listing Python dependencies. The exploit is a PoC and does not include a post-exploitation payload; its primary purpose is to demonstrate the existence of the vulnerability.

This repository consists of a single configuration file (config.json) that defines the parameters for a remote exploit targeting a service at 180.21.21.21:443 over HTTPS, specifically the /remote/login endpoint. The exploit is designed for an amd64, little-endian target with ASLR and stack canary mitigations disabled, but DEP/NX enabled. The attack uses a ROP chain to execute /bin/sh, opening a bind shell on port 5555. The exploit is delivered via a specially crafted HTTP GET request with the payload in a cookie. Post-exploitation, the exploit can execute commands on the target, such as writing the output of 'id' to /pwned.html. The repository does not contain code, only configuration, and is likely intended to be used with an external exploit framework or script that interprets this configuration.

This repository provides a Python proof-of-concept (PoC) exploit for CVE-2025-32756, a critical stack-based buffer overflow vulnerability in several Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera). The exploit targets the /remote/hostcheck_validate endpoint, abusing improper bounds checking in the processing of the 'enc' parameter. The main script, 'fortinet_cve_2025_32756_poc.py', constructs a specially crafted payload using a salt (retrieved from /remote/info) and a seed, then sends two HTTP POST requests to the vulnerable endpoint to trigger the overflow. The PoC demonstrates the vulnerability but does not deliver a shell or custom code execution payload. The repository also includes a README.md with detailed usage instructions, affected product versions, and mitigation advice, as well as a requirements.txt listing Python dependencies. The exploit is unauthenticated and works over HTTPS, making it a remote, network-based attack. The code is structured for clarity and research purposes, with debug options and clear separation of payload construction and delivery logic.

This repository provides a Python proof-of-concept (PoC) exploit for CVE-2025-32756, a critical unauthenticated stack-based buffer overflow vulnerability in several Fortinet products (FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera). The main exploit script, 'fortinet_cve_2025_32756_poc.py', allows users to scan for vulnerable devices and attempt exploitation by sending a specially crafted HTTP POST request to the '/remote/hostcheck_validate' endpoint with a malformed 'enc' parameter. The script demonstrates the vulnerability by triggering the overflow and modifying a single byte in memory, but does not execute arbitrary code or provide shell access. The repository also includes a README with detailed usage instructions and mitigation advice, a requirements.txt for dependencies, and a .gitignore. The exploit is network-based, targeting HTTPS services on the affected Fortinet devices. The code is structured to support both single-target exploitation and multi-target scanning, with options for IP ranges and output to CSV. This PoC is intended for research and educational purposes only and does not weaponize the vulnerability.