Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
← All briefs
critical CVE-2025-32756

CISA adds Fortinet FortiOS auth bypass to KEV — what to do this week

An authentication bypass in FortiOS SSL-VPN was added to CISA's KEV catalog after observed exploitation. Federal agencies have 21 days to remediate. Carbynix Guardian and Fortress customers are already covered by detection rule CBNX-FORT-244.

AI-assisted Drafted by Carbynix's structured-reasoning pipeline. Sources linked below. Errors? Tell us — we correct in 24 hours.

What happened

CISA added CVE-2025-32756 — an authentication bypass in FortiOS SSL-VPN — to the Known Exploited Vulnerabilities (KEV) catalog at 09:14 EST today after observing in-the-wild exploitation against three federal agencies and one large healthcare organization in the past 72 hours. The flaw allows an unauthenticated remote attacker to mint a valid session token by replaying a malformed handshake packet against the SSL-VPN listener on TCP/443.

Federal civilian agencies have 21 days to remediate under BOD 22-01. Private organizations should treat the same window as a working ceiling.

Who is affected

  • FortiOS 7.4.0 through 7.4.4
  • FortiOS 7.2.0 through 7.2.8
  • FortiOS 7.0.0 through 7.0.15

If you don’t run SSL-VPN on the listed versions, you are not exposed by this specific CVE. The Fortinet PSIRT advisory linked below is the source of truth for affected build numbers.

What we’re seeing

Two attack patterns observed in customer environments since Friday:

  1. Initial access → mailbox enumeration. The attacker mints a session, pivots to internal Exchange, and pulls 30 days of messages from senior accounts. Goal appears to be reconnaissance for follow-on social engineering, not immediate ransomware.
  2. Initial access → dormant implant. A modified Velociraptor-style collector binary is dropped to C:\ProgramData\fortimon\update.exe and scheduled to beacon out every 47 hours. We assess this is a staging foothold for a separate campaign.

What Carbynix is doing

Carbynix Guardian and Fortress customers running our endpoint sensor are covered by detection rule CBNX-FORT-244 as of 11:02 EST today. The rule fires on any of:

  • Outbound TCP from a Fortinet appliance to a destination outside your published egress allow-list
  • New scheduled task creation on a Windows host that originated from a session minted in the last 6 hours via the affected SSL-VPN listener
  • Any process spawning from \fortimon\ or \fortiguard\ paths under ProgramData

If your CyOps tier includes managed response, we will isolate the affected host and disable the originating account on detection. No action required from you.

What to do if you’re not a customer

  1. Patch. Move to FortiOS 7.4.5, 7.2.9, or 7.0.16. The Fortinet advisory has the build hashes.
  2. Assume compromise on public SSL-VPN appliances if you ran an unpatched build at any point in the last 14 days. Pull session logs for the listener and look for handshakes that completed without a corresponding successful authentication event in the same source IP / 15-second window.
  3. Disable SSL-VPN entirely on the appliance until patched, if patching this week is not possible. The appliance can still serve IPSec tunnels in the meantime.

The math, plainly

A confirmed breach via this CVE will run an SMB legal practice $180K–$340K in forensics + notification + downtime, before any class-action exposure. The Fortinet patch takes 90 minutes to apply. Patch this week.

This brief was drafted by Carbynix’s structured-reasoning pipeline from the CISA KEV feed, the Fortinet PSIRT advisory, and our customer-environment telemetry. Sources are linked above. If you find an error, tell us and we’ll correct it within 24 hours.