Fortinet has recently addressed a critical security vulnerability, identified as CVE-2025-32756, which has been actively exploited in attacks targeting FortiVoice enterprise phone systems. This flaw, with a CVSS score of 9.6 out of 10, is a stack-based buffer overflow vulnerability (CWE-121) that allows remote, unauthenticated attackers to execute arbitrary code or commands via specially crafted HTTP requests.
Details of the Vulnerability
The vulnerability affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Specifically, the affected versions are:
– FortiCamera: Versions 1.1 and 2.0 (users are advised to migrate to a fixed release); version 2.1.x (upgrade to 2.1.4 or above).
– FortiMail: Version 7.0.x (upgrade to 7.0.9 or above); version 7.2.x (upgrade to 7.2.8 or above); version 7.4.x (upgrade to 7.4.5 or above); version 7.6.x (upgrade to 7.6.3 or above).
– FortiNDR: Versions 1.1 through 1.5 and 7.1 (migrate to a fixed release); version 7.0.x (upgrade to 7.0.7 or above); version 7.2.x (upgrade to 7.2.5 or above); version 7.4.x (upgrade to 7.4.8 or above); version 7.6.x (upgrade to 7.6.1 or above).
– FortiRecorder: Version 6.4.x (upgrade to 6.4.6 or above); version 7.0.x (upgrade to 7.0.6 or above); version 7.2.x (upgrade to 7.2.4 or above).
– FortiVoice: Version 6.4.x (upgrade to 6.4.11 or above); version 7.0.x (upgrade to 7.0.7 or above); version 7.2.x (upgrade to 7.2.1 or above).
Observed Exploitation and Threat Actor Activity
Fortinet has observed active exploitation of this vulnerability in the wild, particularly targeting FortiVoice systems. The threat actors have engaged in activities such as conducting network scans, erasing system crash logs, and enabling FastCGI (fcgi) debugging to log credentials from the system or SSH login attempts. These actions indicate a sophisticated approach aimed at maintaining persistence and gathering sensitive information.
The malicious activities have been traced back to specific IP addresses, including:
– 198.105.127.124
– 43.228.217.173
– 43.228.217.82
– 156.236.76.90
– 218.187.69.244
– 218.187.69.59
Recommendations and Mitigation Measures
To protect against potential exploitation, Fortinet strongly recommends that users of the affected products apply the necessary updates promptly. If immediate patching is not feasible, it is advised to disable the HTTP/HTTPS administrative interface as a temporary workaround.
In addition to applying patches, organizations should consider the following security best practices:
– Restrict Management Access: Limit access to management interfaces to trusted IP addresses and avoid exposing them to the public internet.
– Monitor System Logs: Regularly review system logs for unusual activities, such as unexpected configuration changes or unauthorized access attempts.
– Implement Strong Access Controls: Ensure that administrative accounts have strong, unique passwords and consider implementing multi-factor authentication (MFA) to enhance security.
– Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate potential vulnerabilities within the network infrastructure.
Conclusion
The exploitation of CVE-2025-32756 underscores the critical importance of maintaining up-to-date systems and adhering to robust security practices. Organizations utilizing Fortinet products should act swiftly to apply the recommended updates and implement the suggested security measures to safeguard their networks against potential threats.
