Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
The security flaw is a stack-based overflow vulnerability tracked as CVE-2025-32756 that also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
As the company explains in a security advisory issued on Tuesday, successful exploitation can allow remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests.
Fortinet’s Product Security Team discovered CVE-2025-32756 based on attackers’ activity, including network scans, system crashlogs deletion to cover their tracks, and ‘fcgi debugging’ being toggled on to log credentials from the system or SSH login attempts.
As detailed in today’s security advisory, the threat actors have launched attacks from half a dozen IP addresses, including 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187.69[.]244, and 218.187.69[.]59.
Indicators of compromise spotted by Fortinet during the attacks’ analysis include the ‘fcgi debugging’ setting (which isn’t toggled on by default), enabled on compromised systems.
To check if this setting is turned on on your system, you should see “general to-file ENABLED” after running the following command: diag debug application fcgi.
While investigating these attacks, Fortinet has observed the threat actors deploying malware on hacked devices, adding cron jobs designed to harvest credentials, and dropping scripts to scan the victims’ networks.
The company also shared mitigation advice for customers who can’t immediately install today’s security updates, which requires them to disable the HTTP/HTTPS administrative interface on vulnerable devices.
Last month, the Shadowserver Foundation discovered over 16,000 internet-exposed Fortinet devices compromised using a new symlink backdoor that provides threat actors with read-only access to sensitive files on now-patched devices hacked in previous attacks.
In early April, Fortinet also warned of a critical FortiSwitch vulnerability that can be exploited to change administrator passwords remotely.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
