Introduction
Fortinet has disclosed a critical zero-day remote code execution (RCE) vulnerability [6], identified as CVE-2025-32756 [4] [8], which poses significant risks to several Fortinet products. This vulnerability is actively exploited by attackers, necessitating immediate attention and remediation efforts from affected organizations.
Description
Fortinet has disclosed a critical zero-day remote code execution (RCE) vulnerability [6], tracked as CVE-2025-32756 [4] [8], which is actively exploited by attackers to compromise Fortinet FortiVoice phone and conferencing systems [4], as well as FortiOS. This stack-based buffer overflow vulnerability arises from improper input validation and affects multiple Fortinet products, including FortiVoice [1] [3] [5] [6] [8] [9] [10], FortiMail [1] [5] [6] [8] [9] [10], FortiNDR [1] [5] [6] [8] [9] [10], FortiRecorder [1] [5] [6] [8] [9] [10], and FortiCamera [1] [5] [6] [8] [9] [10]. It allows unauthenticated remote attackers to execute arbitrary commands by sending specially crafted HTTP requests to a specific API on affected systems [4] [5]. The vulnerability poses significant risks to the integrity and confidentiality of these products, particularly emphasizing FortiVoice installations, and has been assigned a CVSS score of 9.8 [1], indicating an extremely high risk [2].
The Fortinet Product Security Team identified this flaw after observing unusual attacker behaviors on a device running FortiVoice, such as network scans [6], the deletion of system crash logs [6], and the enabling of FCGI debugging—a feature that logs authentication attempts [9], including SSH logins [9] [10], but is not enabled by default [10]. Reviewing the FCGI debugging setting is recommended as a potential indicator of compromise [10]. Attackers have been reported to deploy malware, install cron jobs for credential theft [6], and scan internal networks [6] [8], underscoring the urgency for organizations, including Federal Civilian Executive Branch (FCEB) agencies [7], to assess their exposure and remediate identified vulnerabilities promptly. Active scanning attempts from known exploit IPs were detected even before the vulnerability was publicly disclosed [2], highlighting the rapid exploitation potential following disclosure. Indicators of compromise related to these attacks include specific IP addresses [5], log entries [5] [8], modified files such as /bin/wpadachelper and /lib/libfmlogin.so [8], and altered settings [5].
CVE-2025-32756 has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list [9] [10], marking it as the eighteenth vulnerability from Fortinet to be included. Although no proof-of-concept (PoC) has been published yet [9] [10], its anticipated release is expected to lead to increased exploitation by attackers [9] [10], including nation-state actors [9] [10]. The exploitation of this vulnerability can result in unauthorized access, data breaches [3], service disruptions [3], and operational challenges [3].
In response to this critical vulnerability, Fortinet has released emergency security patches and updates, strongly recommending that customers upgrade their systems promptly to mitigate potential exploitation. For those unable to upgrade immediately [10], a temporary workaround is to disable the HTTP/HTTPS administrative interface [1]. Affected and fixed versions of Fortinet devices are detailed in the advisory [9] [10], which users are encouraged to review for the latest information on workarounds and patched versions [9] [10]. Furthermore, Tenable plugins for CVE-2025-32756 will be available on the individual CVE page as they are released [9] [10], and customers can utilize Tenable Attack Surface Management to identify public-facing assets running Fortinet devices [9] [10]. Prioritizing the installation of the latest security patches and maintaining a routine schedule for checking updates is crucial for enhancing the security posture of FortiVoice systems and protecting against potential cyber threats. Continuous vigilance and structured management are essential for organizations to maintain security against such threats [2], especially in light of the broader trend of zero-day vulnerabilities affecting various network devices [2], including VPNs and load balancers [2].
Conclusion
The CVE-2025-32756 vulnerability represents a critical threat to Fortinet products, with the potential for severe impacts such as unauthorized access and data breaches. Organizations must prioritize the application of security patches and consider temporary workarounds to mitigate risks. The ongoing trend of zero-day vulnerabilities highlights the need for continuous vigilance and proactive security management to protect against evolving cyber threats.
References
[1] https://www.infosecurity-magazine.com/news/fortinet-ivanti-zero-days/
[2] https://digialert.com/index.php/blogs/blog/others/fortinet-zero-day-vulnerability-cve-2025-32756-patched-is-your-organization-secure
[3] https://cloudindustryreview.com/fortinet-addresses-exploited-zero-day-rce-vulnerability-cve-2025-32756-in-fortivoice-systems/
[4] https://blog.cadre.net/it-security-newsletter/5-14-2025
[5] https://www.helpnetsecurity.com/2025/05/13/zero-day-exploited-to-compromise-fortinet-fortivoice-systems-cve-2025-32756/
[6] https://socradar.io/fortinet-and-ivanti-products-zero-day-threat-addressed/
[7] https://www.cisa.gov/news-events/alerts/2025/05/14/cisa-adds-one-known-exploited-vulnerability-catalog
[8] https://securityonline.info/fortinet-cve-2025-32756-exploited-in-the-wild-critical-rce-flaw-hits-fortivoice-and-more/
[9] https://www.tenable.com/blog/cve-2025-32756-zero-day-vulnerability-in-multiple-fortinet-products-exploited-in-the-wild
[10] https://securityboulevard.com/2025/05/cve-2025-32756-zero-day-vulnerability-in-multiple-fortinet-products-exploited-in-the-wild/
