Fortinet has recently addressed a serious zero-day vulnerability that was actively exploited in the wild, primarily targeting FortiVoice enterprise phone systems. This vulnerability, tracked as CVE-2025-32756, is a stack-based buffer overflow that allows remote, unauthenticated attackers to execute arbitrary code by sending specially crafted HTTP requests to vulnerable devices. What’s more concerning is that this flaw doesn’t just impact FortiVoice it also affects other Fortinet products including FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
-Book Your FREE Cybersecurity Consultation Now!
Table of Contents
Discovery and Exploitation Tactics
Fortinet’s internal Product Security Team discovered the flaw after detecting unusual behavior on targeted systems. These attackers weren’t just scanning networks they were actively trying to hide their tracks by deleting system crash logs and enabling debugging features that are normally turned off.
One of the most telling signs of compromise was the toggling of the “fcgi debugging” setting. This feature, which is disabled by default, was found enabled on compromised systems. It appears attackers were using it to log credentials, either from HTTP traffic or from SSH login attempts. If you’re managing a Fortinet device, it’s worth checking for this indicator. You can run the commanddiag debug application fcgi, and if it returns “general to-file ENABLED,” that’s a red flag. Attack Infrastructure and Indicators of Compromise
Fortinet identified a set of IP addresses from which these attacks were launched:
198.105.127[.]124
43.228.217[.]173
43.228.217[.]82
156.236.76[.]90
218.187.69[.]244
218.187.69[.]59
During their investigation, Fortinet observed that once attackers gained access, they were deploying malware, adding cron jobs to harvest credentials, and even dropping scripts to scan the internal networks of the victims. This level of activity suggests that the attackers had a clear objective and were prepared to move quickly through compromised environments.
Temporary Mitigation Steps
For organizations that can’t immediately apply the security patches released by Fortinet, there is some temporary mitigation advice. Specifically, Fortinet recommends disabling the HTTP and HTTPS administrative interfaces on affected devices. While this doesn’t fix the vulnerability, it can reduce the attack surface significantly until proper updates can be applied.
Broader Security Context
This isn’t the first time recently that Fortinet products have been under fire. Just last month, the Shadowserver Foundation reported that over 16,000 Fortinet devices were exposed to the internet with a new symlink backdoor installed. This backdoor granted attackers read-only access to sensitive files on devices that were likely compromised before a patch was available. And in early April, Fortinet disclosed another critical issue in FortiSwitch devices that allowed remote attackers to change administrator passwords.
These incidents form a clear pattern: attackers are actively hunting for Fortinet vulnerabilities, particularly in products that are often exposed to the internet. It’s a reminder that internet-facing administrative interfaces are a liability, and that patching even for non-core systems like phone and camera solutions needs to be part of every organization’s routine security operations.
Final Recommendations
If you’re running Fortinet hardware, now’s a good time to review your configurations, confirm whether this vulnerability affects any of your devices, and apply the patch if possible. And if you’re unable to patch immediately, at least make sure those admin interfaces are locked down.
Security teams should also check for the presence of indicators of compromise, particularly the fcgi debugging setting, unexpected cron jobs, and any unusual outbound connections to the IP addresses listed earlier. A quick sweep now could help prevent a deeper compromise later.
In an environment where zero-day attacks are increasingly common and quick-moving, staying on top of security advisories like this one is critical. Fortinet’s prompt response is commendable, but it’s up to each organization to follow through on the fix.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Your Crypto Wallet Isn’t Safe -Even on iPhone. Here’s Why
Even iPhone users aren’t safe. A new malware named SparkKitty is using AI and gallery access to steal crypto wallet seed phrases silently from your phone.
Fortinet CVE-2023-42788: OS Command Injection Vulnerability
Fortinet’s CVE-2023-42788 affects multiple products, enabling OS command injection. Learn about the risks and key mitigation steps to protect your systems.
New Wireshark Vulnerability Triggers DoS Attack: What You Need to Know (CVE-2025-5601)
A high-severity DoS vulnerability in Wireshark (CVE-2025-5601) could crash the tool via malformed packets or malicious capture files. This flaw impacts millions and underscores the need for urgent patching and safe handling of .pcap files.
Steganography in Cybercrime: How Hackers Hide Malware in Plain Sight
Hackers are turning to an ancient technique, steganography to hide malware inside everyday files like images and audio. This blog explores how malicious code is concealed in plain sight, including a shocking WhatsApp scam where a man lost ₹2 lakh to a seemingly innocent image.
WhatsApp Image Scam: WhatsApp Images Could Be Cyber Traps!
Think twice before opening that WhatsApp image cybercriminals are now hiding malware inside photos using advanced techniques like steganography. In this blog, I break down how one victim lost ₹2 lakh from a single download, and how you can stay safe with simple, actionable steps.
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.