Fortinet has recently addressed a serious zero-day vulnerability that was actively exploited in the wild, primarily targeting FortiVoice enterprise phone systems. This vulnerability, tracked as CVE-2025-32756, is a stack-based buffer overflow that allows remote, unauthenticated attackers to execute arbitrary code by sending specially crafted HTTP requests to vulnerable devices. What’s more concerning is that this flaw doesn’t just impact FortiVoice it also affects other Fortinet products including FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
-Book Your FREE Cybersecurity Consultation Now!
Table of Contents
Discovery and Exploitation Tactics
Fortinet’s internal Product Security Team discovered the flaw after detecting unusual behavior on targeted systems. These attackers weren’t just scanning networks they were actively trying to hide their tracks by deleting system crash logs and enabling debugging features that are normally turned off.
One of the most telling signs of compromise was the toggling of the “fcgi debugging” setting. This feature, which is disabled by default, was found enabled on compromised systems. It appears attackers were using it to log credentials, either from HTTP traffic or from SSH login attempts. If you’re managing a Fortinet device, it’s worth checking for this indicator. You can run the commanddiag debug application fcgi, and if it returns “general to-file ENABLED,” that’s a red flag. Attack Infrastructure and Indicators of Compromise
Fortinet identified a set of IP addresses from which these attacks were launched:
198.105.127[.]124
43.228.217[.]173
43.228.217[.]82
156.236.76[.]90
218.187.69[.]244
218.187.69[.]59
During their investigation, Fortinet observed that once attackers gained access, they were deploying malware, adding cron jobs to harvest credentials, and even dropping scripts to scan the internal networks of the victims. This level of activity suggests that the attackers had a clear objective and were prepared to move quickly through compromised environments.
Temporary Mitigation Steps
For organizations that can’t immediately apply the security patches released by Fortinet, there is some temporary mitigation advice. Specifically, Fortinet recommends disabling the HTTP and HTTPS administrative interfaces on affected devices. While this doesn’t fix the vulnerability, it can reduce the attack surface significantly until proper updates can be applied.
Broader Security Context
This isn’t the first time recently that Fortinet products have been under fire. Just last month, the Shadowserver Foundation reported that over 16,000 Fortinet devices were exposed to the internet with a new symlink backdoor installed. This backdoor granted attackers read-only access to sensitive files on devices that were likely compromised before a patch was available. And in early April, Fortinet disclosed another critical issue in FortiSwitch devices that allowed remote attackers to change administrator passwords.
These incidents form a clear pattern: attackers are actively hunting for Fortinet vulnerabilities, particularly in products that are often exposed to the internet. It’s a reminder that internet-facing administrative interfaces are a liability, and that patching even for non-core systems like phone and camera solutions needs to be part of every organization’s routine security operations.
Final Recommendations
If you’re running Fortinet hardware, now’s a good time to review your configurations, confirm whether this vulnerability affects any of your devices, and apply the patch if possible. And if you’re unable to patch immediately, at least make sure those admin interfaces are locked down.
Security teams should also check for the presence of indicators of compromise, particularly the fcgi debugging setting, unexpected cron jobs, and any unusual outbound connections to the IP addresses listed earlier. A quick sweep now could help prevent a deeper compromise later.
In an environment where zero-day attacks are increasingly common and quick-moving, staying on top of security advisories like this one is critical. Fortinet’s prompt response is commendable, but it’s up to each organization to follow through on the fix.
Why Businesses Trust SecureMyOrg for Comprehensive Network Security
At SecureMyOrg, we uncover and fix all possible security vulnerabilities of mobile and web, while providing solutions to mitigate risks. We are trusted by renowned companies like Yahoo, Gojek and Rippling, and with 100% client satisfaction, you’re in safe hands!
Some of the things people reach out to us for –
- Building their cybersecurity program from scratch – setting up cloud security using cost-effective tools, SIEM for alert monitoring, building policies for the company
- Vulnerability Assessment and Penetration Testing ( VAPT ) – We have certified professionals, with certifications like OSCP, CREST – CPSA & CRT, CKA and CKS
- DevSecOps consulting
- Red Teaming activity
- Regular security audits, before product release
- Full time security engineers.
Relevant Posts
Critical Zero-Day in FortiVoice Patched by Fortinet After Active Exploits
Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) exploited in active attacks targeting FortiVoice and other products like FortiMail and FortiCamera. The flaw allowed remote code execution via crafted HTTP requests, with attackers deploying malware and harvesting credentials before the fix was released.
Top 5 Cloud-Focused Remote Access Trojans in 2025
Cloud environments are prime targets in 2025, with Remote Access Trojans engineered specifically to exploit them. This blog covers the top 5 cloud-focused RATs causing major security concerns.
Top 5 Fileless Remote Access Trojans in 2025
Fileless Remote Access Trojans are redefining stealth attacks in 2025 by leaving little to no trace on disk. This blog explores the top 5 fileless RATs attackers are using today.
Dissecting AsyncRAT’s Hold on Windows Systems in 2025
AsyncRAT continues to dominate Windows system compromises in 2025 with its stealth and modular design. This post dissects how it operates and why it remains a persistent threat.
Top 5 IoT Remote Access Trojans Crippling Devices in 2025
IoT devices are under siege in 2025 as Remote Access Trojans exploit their vulnerabilities at scale. This blog breaks down the top 5 IoT RATs causing widespread disruption.
Top 5 Web-Based Remote Access Trojans That Are Dominating 2025
Web-based Remote Access Trojans are becoming the go-to tool for cybercriminals in 2025. This post highlights five of the most widespread and dangerous ones currently in use.