Fortinet has patched a critical zero-day vulnerability that allowed remote code execution and was actively exploited in attacks against FortiVoice enterprise phone systems.
The flaw, identified as CVE-2025-32756, is a stack-based buffer overflow vulnerability found in several Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This vulnerability enables remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests.
According to Fortinet’s advisory, the vulnerability stems from a stack-based overflow issue (CWE-121). The company confirmed that the flaw has already been exploited in real-world attacks targeting FortiVoice systems.
Fortinet reported that attackers leveraging this vulnerability scanned networks, deleted crash logs to hide their activities, and enabled FastCGI (fcgi) debugging to capture sensitive data such as system or SSH login credentials.
Further investigation revealed that attackers also deployed malware on affected servers, installed cron jobs designed to steal credentials, and ran scripts to explore victim networks.
Fortinet’s shared indicators of compromise show that the attacks came from at least six IP addresses:
- 198.105.127[.]124
- 43.228.217[.]173
- 43.228.217[.]82
- 156.236.76[.]90
- 218.187.69[.]244
- 218.187.69[.]59
Another indicator includes the enabling of the ‘fcgi debugging’ setting on compromised devices.
As a temporary workaround, Fortinet advises administrators to disable the HTTP and HTTPS administrative interfaces to reduce exposure until the latest patches are applied.
Security updates addressing the issue are now available, and all users of affected products are strongly urged to install them immediately to prevent further exploitation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
