Fortinet Fixes Actively Exploited FortiVoice Zero-Day Vulnerability

Fortinet has released security updates to address a critical remote code execution zero-day vulnerability actively exploited in attacks targeting its FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, is a stack-based overflow issue that impacts multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

A remote unauthenticated attacker can exploit this flaw to execute arbitrary code or commands via maliciously crafted HTTP requests. According to the advisory released by Fortinet, a stack-based overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.

Fortinet has observed this vulnerability being exploited in the wild on FortiVoice systems. The company states that the threat actor that exploited the flaw scanned the network, erased crash logs, and enabled fcgi debugging to capture system or SSH login credentials. Additionally, attackers deployed malware on compromised servers, added credential-stealing cron jobs, and used scripts to scan victim networks.

According to Indicators of Compromise shared by Fortinet, the attacks originated from half a dozen IP addresses, including 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187.69[.]244, and 218.187.69[.]59. The 'fcgi debugging' setting was also enabled on compromised systems.

To verify if fcgi debugging is enabled on your system, use the following CLI command: If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system: This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise.

Fortinet recommends disabling HTTP/HTTPS administrative interface as a workaround. The company also found attackers deploying malware, adding credential-stealing cron jobs, and using scripts to scan victim networks.

The flaw was discovered by Fortinet's Product Security Team. If you are concerned about the vulnerability affecting your organization, it is essential to take immediate action to patch your systems and implement additional security measures.

Take Action Now

Follow these steps to protect yourself from this critical zero-day vulnerability:

• Disable HTTP/HTTPS administrative interface as a workaround.
• Verify if fcgi debugging is enabled on your system using the provided CLI command.
• Patch your systems with the latest security updates.
• Implement additional security measures, such as network segmentation and intrusion detection systems.

Stay informed about the latest security threats by following me on Twitter: @securityaffairs and Facebook and Mastodon.