Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)

Fortinet has patched a critical vulnerability (CVE-2025-32756) that has been exploited in the wild to compromise FortiVoice phone / conferencing systems, the company’s product security incident response team has revealed on Tuesday.

About CVE-2025-32756

CVE-2025-32756 is a stack-based overflow vulnerability that can lead to remote code and command execution by unauthenticated attackers. To trigger it, they only need to send a specially crafted HTTP request to a specific API.

According to the Fortinet PSIRT, the threat actor has used it to perform scans of the device network, erase system crashlogs, enable “fcgi debugging” setting to log credentials from the system or SSH login attempts, and drop malware.

Fortinet’s researchers have shared indicators of compromised related to the attack(s), which include IP addresses used by attackers, log entries, added or modified files, and modified settings.

The vulnerability also affects FortiMail, FortiNDR, FortiRecorder and FortiCamera, but the attackers have apparently only used it to target FortiVoice installations.

Users are advised to upgrade to fixed releases for the affected solutions. If your FortiVoice installation cannot be upgraded immediately, consider disabling the system’s HTTP/HTTPS administrative interface as a temporary workaround.

UPDATE (May 23, 2025, 05:25 a.m. ET):

Horizon3.ai researchers have published a technical deep-dive into CVE-2025-32756.

“Given that this issue is under active exploitation and there are many vulnerable instances on the open internet, we’ve elected not to publish an exploit beyond [a] simple proof of concept,” they said.

“FortiGuard Lab’s advisory contains plenty of information regarding valuable Indicators of Compromise as well as detailed mitigation information. Given the ease of exploitation, we recommend all users update or apply mitigations as soon as possible.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!