# U.S. CISA Adds Fortinet Flaw to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a crucial step in protecting the nation's networks by adding a critical vulnerability in Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog. The added flaw, CVE-2025-32756, is a stack-based overflow issue that affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
## A Critical Zero-Day Exploit
This week, Fortinet released security updates to address the critical remote code execution zero-day vulnerability (CVE-2025-32756), which has been exploited in attacks targeting FortiVoice enterprise phone systems. The vulnerability allows a remote unauthenticated attacker to execute arbitrary code or commands via maliciously crafted HTTP requests.
## How the Vulnerability Works
A stack-based overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. According to Fortinet's advisory, the threat actor that exploited this flaw scanned the network, erased crash logs, and enabled fcgi debugging to capture system or SSH login credentials.
## Attack Vector Revealed
The cybersecurity vendor observed attackers deploying malware on compromised servers, adding credential-stealing cron jobs, and using scripts to scan victim networks. The attacks originated from half a dozen IP addresses, including 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187.69[.]244, and 218.187.69[.]59.
## Identifying Indicators of Compromise
To verify if fcgi debugging is enabled on your system, use the following CLI command: `show system | grep "fcgi"`. If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system. This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise.
## Recommendations and Workarounds
Fortinet recommends disabling HTTP/HTTPS administrative interface as a workaround to prevent further exploitation. The company also advises users to review their systems for potential vulnerabilities and address them promptly.
## Government Action Taken
CISA orders federal agencies to fix the vulnerabilities by June 4, 2025, to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure.
Stay informed about the latest cybersecurity threats and updates by following me on Twitter (@securityaffairs), Facebook, and Mastodon.