CISA Alerts on Active Exploitation of Fortinet Zero-Day Vulnerability

A newly disclosed vulnerability, CVE-2025-32756, has sent shockwaves through the cybersecurity community by affecting several widely deployed Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

This critical flaw, rated with a CVSS score as high as 9.8, enables remote, unauthenticated attackers to execute arbitrary code or commands on vulnerable devices by sending specially crafted HTTP requests.

Fortinet has confirmed that this vulnerability has already been exploited in the wild, particularly targeting FortiVoice appliances.

Understanding the Vulnerability

CVE-2025-32756 is a stack-based buffer overflow vulnerability, classified under CWE-124.

The flaw resides in the way affected Fortinet products handle certain HTTP requests-specifically, maliciously crafted hash cookies can trigger a buffer overflow on the stack, allowing the attacker to overwrite critical memory regions and execute arbitrary code.

This type of vulnerability is especially dangerous because it can lead to full system compromise without requiring any authentication or user interaction.

Affected Products and Versions

The vulnerability impacts multiple product lines and versions:

• FortiVoice: 7.2.0, 7.0.0–7.0.6, 6.4.0–6.4.10
• FortiMail: 7.6.0–7.6.2, 7.4.0–7.4.4, 7.2.0–7.2.7, 7.0.0–7.0.8
• FortiNDR: 7.6.0, 7.4.0–7.4.7, 7.2.0–7.2.4, 7.0.0–7.0.6
• FortiRecorder: 7.2.0–7.2.3, 7.0.0–7.0.5, 6.4.0–6.4.5
• FortiCamera: 2.1.0–2.1.3, all 2.0.x and 1.1.x versions

Exploitation and Impact

Fortinet has observed active exploitation of CVE-2025-32756, with threat actors targeting FortiVoice systems.

Attackers have been seen scanning networks, erasing system crash logs, and enabling debugging features to capture credentials, such as SSH login attempts.

The exploitation of this vulnerability can allow attackers to:

• Gain unauthorized access to sensitive systems
• Steal confidential data
• Alter system configurations
• Disrupt critical services
• Install malware or ransomware

Although there is no public proof-of-concept exploit as of now, the history of Fortinet vulnerabilities being rapidly weaponized suggests that wider exploitation may soon follow.

Mitigation and Recommendations

Fortinet has released security patches addressing this vulnerability.

Users are strongly advised to upgrade to the fixed versions immediately:

If immediate patching is not possible, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary mitigation.

Organizations should also review Fortinet’s advisory for indicators of compromise (IoCs), such as unexpected log entries or unauthorized configuration changes, and monitor for suspicious activity from the following IP addresses observed in attacks: 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

Regulatory Guidance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-32756 to its Known Exploited Vulnerabilities catalog, urging all organizations-especially those in the federal sector-to remediate the vulnerability by June 4, 2025, by BOD 22-01.

CVE-2025-32756 represents a critical threat to organizations using affected Fortinet products.

Immediate action is required: apply vendor patches, implement temporary mitigations if necessary, and monitor for signs of compromise.

The risk of remote code execution and potential for severe impact on confidentiality, integrity, and availability make this vulnerability a top priority for remediation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates