Beschreibung:
Der Hersteller Fortigate warnte am 13. Mai 2025 vor einer kritischen Sicherheitslücke (CVE-2025-32756) in ihren Produkten FortiVoice, FortiMail, FortiNDR, FortiRecorder und FortiCamera. Die Stack-Based Buffer Overflow Vulnerability ermöglicht es einem nicht authentifizierten Angreifer über manipulierte HTTP-Anfragen beliebigen Code oder Befehle auszuführen. Die von den Angreifern in den von Fortigate beobachteten Fällen durchgeführten Operationen umfassten folgende Aktionen: - Netzwerkscans - Löschen von Logs - Aktivieren des fcgi-Debuggings, um Anmeldeinformationen aus dem System oder SSH-Anmeldeversuchen zu protokollieren
Betroffene Systeme:
FortiCamera 2.1 - 2.1.0 through 2.1.3
FortiCamera 2.0 - 2.0 all versions
FortiCamera 1.1 - 1.1 all versions
FortiMail 7.6 - 7.6.0 through 7.6.2
FortiMail 7.4 - 7.4.0 through 7.4.4
FortiMail 7.2 - 7.2.0 through 7.2.7
FortiMail 7.0 - 7.0.0 through 7.0.8
FortiNDR 7.6 - 7.6.0
FortiNDR 7.4 - 7.4.0 through 7.4.7
FortiNDR 7.2 - 7.2.0 through 7.2.4
FortiNDR 7.1 - 7.1 all versions
FortiNDR 7.0 - 7.0.0 through 7.0.6
FortiNDR 1.5 - 1.5 all versions
FortiNDR 1.4 - 1.4 all versions
FortiNDR 1.3 - 1.3 all versions
FortiNDR 1.2 - 1.2 all versions
FortiNDR 1.1 - 1.1 all versions
FortiRecorder 7.2 - 7.2.0 through 7.2.3
FortiRecorder 7.0 - 7.0.0 through 7.0.5
FortiRecorder 6.4 - 6.4.0 through 6.4.5
FortiVoice 7.2 - 7.2.0
FortiVoice 7.0 - 7.0.0 through 7.0.6
FortiVoice 6.4 - 6.4.0 through 6.4.10
Behobene Versionen:
FortiCamera 2.1 - Upgrade to 2.1.4 or above
FortiCamera 2.0 - Migrate to a fixed release
FortiCamera 1.1 - Migrate to a fixed release
FortiMail 7.6 - Upgrade to 7.6.3 or above
FortiMail 7.4 - Upgrade to 7.4.5 or above
FortiMail 7.2 - Upgrade to 7.2.8 or above
FortiMail 7.0 - Upgrade to 7.0.9 or above
FortiNDR 7.6 - Upgrade to 7.6.1 or above
FortiNDR 7.4 - Upgrade to 7.4.8 or above
FortiNDR 7.2 - Upgrade to 7.2.5 or above
FortiNDR 7.1 - Migrate to a fixed release
FortiNDR 7.0 - Upgrade to 7.0.7 or above
FortiNDR 1.5 - Migrate to a fixed release
FortiNDR 1.4 - Migrate to a fixed release
FortiNDR 1.3 - Migrate to a fixed release
FortiNDR 1.2 - Migrate to a fixed release
FortiNDR 1.1 - Migrate to a fixed release
FortiRecorder 7.2 - Upgrade to 7.2.4 or above
FortiRecorder 7.0 - Upgrade to 7.0.6 or above
FortiRecorder 6.4 - Upgrade to 6.4.6 or above
FortiVoice 7.2 - Upgrade to 7.2.1 or above
FortiVoice 7.0 - Upgrade to 7.0.7 or above
FortiVoice 6.4 - Upgrade to 6.4.11 or above
Empfohlene Maßnahmen:
Fortinet hat Updates veröffentlicht, die die Schwachstelle beheben. Betroffene Systeme sollten dringend auf die oben angeführten Versionen aktualisiert werden.
Einschätzung der Bedrohung:
In der Meldung des Product Security Incident Response Teams gibt Fortigate an, eine aktive Ausnutzung der Schwachstelle auf FortiMail beobachtet zu haben. Zudem werden mehrere IoCs (Indicators of Compromise) geliefert, die auf entsprechende Angriffe hindeuten.
Zudem führt die CISA diese Schwachstelle im "Known exploited vulnerabilities" Katalog, somit liegen bestätigte Fälle vor, dass die Schwachstelle bereits aktiv ausgenutzt wird.
Anhand dieser Faktoren schätzt ACP die Bedrohungslage als hoch ein und weswegen Updates mit Priorität umgesetzt werden sollten.
Indicators of Compromise
The following log entries are possible IOCs:
Logs
Output of CLI command 'diagnose debug application httpd display trace-log':
[x x x x:x:x.x 2025] [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection
[x x x x:x:x.x 2025] [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11
IP Addresses
The Threat Actor (TA) has been seen using the following IP addresses:
198.105.127.124
43.228.217.173
43.228.217.82
156.236.76.90
218.187.69.244
218.187.69.59
Modified Settings
To verify if fcgi debugging is enabled on your system, use the following CLI command:
diag debug application fcgi
If the output shows "general to-file ENABLED", it means fcgi debugging is enabled on your system:
fcgi debug level is 0x80041
general to-file ENABLED
This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise
Files
The following system files may have been modified or added by the TA:
- [Added File] /bin/wpad_ac_helper - MD5:4410352e110f82eabc0bf160bec41d21 - main malware file
- [Added File] /bin/busybox - MD5:ebce43017d2cb316ea45e08374de7315 and 489821c38f429a21e1ea821f8460e590
- /data/etc/crontab - A line was added to grep sensitive data from fcgi.debug:
0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
- /var/spool/cron/crontabs/root - A line was added to backup fcgi.debug:
0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug
- [Added File] /var/spool/.sync - Credentials are gathered into this file by the cron jobs above
- /etc/pam.d/sshd - Lines were added to it to include malicious libfmlogin.so below
- [Added File] /lib/libfmlogin.so - MD5:364929c45703a84347064e2d5de45bcd - malicious library that logs username and password using SSH login
- [Added File] /tmp/.sshdpm - contains credentials gathered by /lib/libfmlogin.so above
- [Added File] /bin/fmtest - MD5: 2c8834a52faee8d87cff7cd09c4fb946 - Script to scan the network
- /etc/httpd.conf - A line was added to include socks.so: LoadModule socks5_module modules/mod_socks5.so
Weiterführende Links:
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
https://www.cve.org/CVERecord?id=CVE-2025-32756
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
