Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Fortinet Addresses Critical Zero-Day RCE Vulnerability in FortiVoice Systems

On May 14, 2025, cybersecurity provider Fortinet announced the resolution of a significant security vulnerability identified as CVE-2025-32756. This flaw, which carries a critical CVSS score of 9.6, has reportedly been exploited in live attacks against FortiVoice enterprise phone systems. The vulnerability is characterized as a stack-based buffer overflow, categorized under CWE-121, potentially allowing remote, unauthenticated attackers to execute arbitrary code by sending specially crafted HTTP requests.

Fortinet’s advisory highlighted instances of active exploitation within FortiVoice systems, yet did not reveal specifics regarding the scale of these attacks or the identity of the threat actors involved. Observations indicated that the attackers conducted network scans on affected devices, deleted system crash logs, and activated fcgi debugging. These actions aimed to capture credentials or monitor SSH login attempts, raising concerns about the security posture of Fortinet products.

The vulnerability impacts several Fortinet offerings, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera, particularly affecting versions 1.1 and 2.0 of FortiCamera. Users are urged to migrate to a patched release to safeguard their systems.

In analyzing the tactics employed during these attacks, the MITRE ATT&CK framework provides useful insights. The techniques likely involved initial access through exploitation of the vulnerability, followed by persistence tactics to maintain a foothold within the targeted systems. Additionally, privilege escalation may have been utilized to execute commands with elevated access, leveraging the compromised systems for further malicious activities.

As the cybersecurity landscape continues to evolve, the urgency for businesses to remain vigilant is underscored by incidents like this one. Fortinet’s swift action in addressing this zero-day vulnerability serves as a reminder of the persistent threats faced by organizations in both the public and private sectors. Business owners are encouraged to stay informed and to implement necessary updates to protect against potential exploits that target unpatched vulnerabilities.

Overall, this incident highlights the ongoing risks in network security and the importance of proactive measures to mitigate vulnerabilities before they can be exploited by malicious actors.

Source link