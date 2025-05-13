Fortinet has patched a critical vulnerability (CVE-2025-32756) that has been exploited in the wild to compromise FortiVoice phone / conferencing systems, the company’s product security incident response team has revealed on Tuesday.

About CVE-2025-32756

CVE-2025-32756 is a stack-based overflow vulnerability that can lead to remote code and command execution by unauthenticated attackers. To trigger it, they only need to send a specially crafted HTTP request to a specific API.

According to the Fortinet PSIRT, the threat actor has used it to perform scans of the device network, erase system crashlogs, enable “fcgi debugging” setting to log credentials from the system or SSH login attempts, and drop malware.

Fortinet’s researchers have shared indicators of compromised related to the attack(s), which include IP addresses used by attackers, log entries, added or modified files, and modified settings.

The vulnerability also affects FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera, but the attackers have apparently only used it to target FortiVoice installations.

Users are advised to upgrade to fixed releases for the affected solutions. If your FortiVoice installation cannot be upgraded immediately, consider disabling the system’s HTTP/HTTPS administrative interface as a temporary workaround.

