Fortinet has issued patches for a critical zero-day vulnerability, CVE-2025-32756, that was being actively exploited in attacks targeting FortiVoice enterprise phone systems. The flaw carries a CVSS severity score of 9.6 out of 10, making it one of the most dangerous types of remote code execution (RCE) vulnerabilities.
This vulnerability, found in multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera, could allow an attacker to run arbitrary code or system commands without authentication by simply sending specially crafted HTTP requests.
CVE-2025-32756
CVE-2025-32756 is a stack-based buffer overflow vulnerability (CWE-121). This means that attackers can send carefully designed data packets to the affected system to overrun its memory buffer, leading to the execution of malicious code. Since the flaw does not require any user login or interaction, it is especially dangerous and easy to exploit remotely.
Fortinet disclosed that it has observed real-world exploitation of this flaw, particularly targeting FortiVoice systems. However, the company has not revealed how widespread the attacks are or who the attackers might be.
Exploitation Techniques
According to Fortinet’s advisory, the attackers used the following tactics:
Scanning networks for vulnerable devices
Erasing system crash logs to cover tracks
Enabling
fcgidebugging to collect credentials from system logins or SSH attempts
This suggests a sophisticated approach by attackers aiming to maintain access and evade detection.
Affected Fortinet Products
Fortinet confirmed that multiple versions of their products are affected by this vulnerability. The company urges all users to immediately update to the secure versions listed below:
FortiVoice:
6.4.x ➝ Upgrade to 6.4.11 or above
7.0.x ➝ Upgrade to 7.0.7 or above
7.2.x ➝ Upgrade to 7.2.1 or above
FortiMail:
7.0.x ➝ Upgrade to 7.0.9 or above
7.2.x ➝ Upgrade to 7.2.8 or above
7.4.x ➝ Upgrade to 7.4.5 or above
7.6.x ➝ Upgrade to 7.6.3 or above
FortiNDR:
1.1–1.5, 7.1 ➝ Migrate to a fixed release
7.0.x ➝ Upgrade to 7.0.7 or above
7.2.x ➝ Upgrade to 7.2.5 or above
7.4.x ➝ Upgrade to 7.4.8 or above
7.6.x ➝ Upgrade to 7.6.1 or above
FortiRecorder:
6.4.x ➝ Upgrade to 6.4.6 or above
7.0.x ➝ Upgrade to 7.0.6 or above
7.2.x ➝ Upgrade to 7.2.4 or above
FortiCamera:
1.1, 2.0 ➝ Migrate to a fixed release
2.1.x ➝ Upgrade to 2.1.4 or above
Indicators of Compromise (IOCs)
Fortinet identified the following IP addresses as sources of malicious activity related to this vulnerability:
198.105.127.12443.228.217.17343.228.217.82156.236.76.90218.187.69.244218.187.69.59
Administrators should monitor logs for any traffic from these IPs and investigate for signs of compromise.
Recommendations
If you use any of the affected Fortinet products, patching is strongly recommended to block active exploitation attempts. Here’s what you can do:
Update to the latest fixed versions as listed above.
If immediate patching is not possible, disable the HTTP/HTTPS administrative interface as a temporary workaround.
Monitor device logs for suspicious activity, especially network scans or credential harvesting.
Check for unexpected
fcgidebugging settings or erased crash logs, as these are signs of compromise.
Why This Matters
With a CVSS score of 9.6, CVE-2025-32756 is a critical vulnerability that poses a serious risk to enterprise networks. If exploited, it can give attackers full control over vulnerable systems — potentially allowing them to steal data, install malware, or move laterally across networks.
This incident highlights the importance of:
Timely patch management
Monitoring for signs of exploitation
Disabling unnecessary remote interfaces
Fortinet continues to play a key role in securing enterprise environments, but this latest zero-day attack shows that no vendor is immune. Security teams should act quickly to patch vulnerable systems and stay updated with Fortinet’s advisories.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : May 2025 Patch Tuesday: Zero-Days and Critical Bugs in Windows, Azure