Critical Fortinet vulnerability actively exploited

Fortinet has released patches for multiple vulnerabilities across its product portfolio and raises one critical zero-day vulnerability that has been actively exploited against FortiVoice phone system appliances. 

The exploited flaw is CVE-2025-32756 (CVSS score 9.6) - Stack-based overflow vulnerability. The flaw affects multiple Fortinet products and allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted HTTP requests. 

Update - As of 22nd of May 2025, Horizon3 has published a detailed writeup and there is at least one PoC on GitHub, which makes it even easier for attackers to exploit. Note - be careful with PoC code, it may also contain malicious actions, so review it before executing it on your environment.

Fortinet has observed active exploitation of this vulnerability specifically targeting FortiVoice installations in the wild. During these attacks, the threat actors performed a series of malicious activities designed to maintain access and gather sensitive information:

• Scanning the device network to identify additional targets
• Erasing system crashlogs to hide evidence of compromise
• Enabling fcgi debugging to capture credentials from the system or SSH login attempts
• Deploying various malicious files and backdoors

The attackers appear to have focused exclusively on FortiVoice systems, though the vulnerability affects multiple Fortinet products.

Although exploitation has only been confirmed against FortiVoice instances, CVE-2025-32756 impacts multiple Fortinet products including:

• FortiVoice (versions 6.4.0-6.4.10, 7.0.0-7.0.6, and 7.2.0)
• FortiMail (versions 7.0.0-7.0.8, 7.2.0-7.2.7, 7.4.0-7.4.4, and 7.6.0-7.6.2)
• FortiNDR (multiple affected versions across 1.x and 7.x branches)
• FortiRecorder (versions 6.4.0-6.4.5, 7.0.0-7.0.5, and 7.2.0-7.2.3)
• FortiCamera (versions 1.1.x, 2.0.x, and 2.1.0-2.1.3)

In the same security update, Fortinet also addressed several other significant vulnerabilities:

• Missing authentication for critical function tracked as CVE-2025-22252 (CVSS score 9.0): This critical vulnerability affects FortiOS, FortiProxy, and FortiSwitchManager, potentially allowing TACACS+ authentication bypass when specific configurations are used.
• Incorrect authorization issue tracked as CVE-2025-25251: This high-severity vulnerability in FortiClient for macOS could allow local attackers to elevate their privileges using crafted XPC messages.

Fortinet also released patches for multiple medium and low-severity flaws across various products including FortiOS Security Fabric, FortiManager, FortiVoiceUC, and FortiPortal. Additionally, they updated advisories for four bugs affecting OpenSSH, including two that resolve the Terrapin and regreSSHion attacks disclosed last year.

Indicators of Compromise (IoCs)

Fortinet has provided extensive indicators of compromise to help organizations identify potential breaches:

IP Addresses Used by Threat Actors:

• 198.105.127.124
• 43.228.217.173
• 43.228.217.82
• 156.236.76.90
• 218.187.69.244
• 218.187.69.59

Suspicious Files and Modifications:

• Added malware file: /bin/wpad_ac_helper (MD5: 4410352e110f82eabc0bf160bec41d21)
• Added file: /bin/busybox (MD5: ebce43017d2cb316ea45e08374de7315 and 489821c38f429a21e1ea821f8460e590)
• Modified /data/etc/crontab with malicious entries
• Added malicious library: /lib/libfmlogin.so (MD5: 364929c45703a84347064e2d5de45bcd)
• Various other system file modifications

Fortinet strongly advises customers to apply the newly released security patches as soon as possible. For organizations unable to immediately patch, a temporary workaround involves disabling the HTTP/HTTPS administrative interface.