178/68 Friday, May 16, 2025
Fortinet has released a patch to fix a critical zero-day vulnerability that was actively exploited in FortiVoice Enterprise, an enterprise VoIP (voice over IP) system. The vulnerability, tracked as CVE-2025-32756, is a stack-based buffer overflow flaw that allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted HTTP requests. This vulnerability also affects other Fortinet products, including FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
Fortinet confirmed that FortiVoice systems have already been targeted using this vulnerability. The attackers exhibited behaviors such as network scanning, deletion of crash logs, and enabling the ‘fcgi debugging’ feature, which can be used to intercept login or SSH credentials. In some cases, attackers also deployed additional malware to steal data, created cron jobs, and deployed scripts to scan the victim’s network.
Fortinet has also published a list of Indicators of Compromise (IOCs), which includes suspicious IP addresses like:
198.105.127[.]12443.228.217[.]173156.236.76[.]90
Other observable behaviors include unexpected activation of the fcgi debugging feature, which is disabled by default.
Mitigation Recommendations:
Fortinet urges users to immediately update the firmware of all affected devices. If patching is not immediately feasible, administrators should temporarily disable HTTP/HTTPS administrative access to reduce the risk of exploitation.
This vulnerability was discovered by the Fortinet Product Security Team and underscores the increasing trend of attackers exploiting deep infrastructure-level flaws to compromise enterprise IT environments.
