A critical zero-day vulnerability affecting several Fortinet products, most notably FortiVoice enterprise phone systems, has recently been patched. Attackers are actively exploiting CVE-2025-32756 in the wild. Read the details of this Cybersecurity Threat Advisory to learn how to keep your environment safe.
What is the threat?
The vulnerability lies in the improper handling of HTTP requests. By sending malicious HTTP requests containing these specially crafted cookies, a remote attacker can trigger a stack-based buffer overflow. This overflow allows the attacker to overwrite critical memory addresses, leading to executing arbitrary code or commands with root-level privileges on the affected device.
Affected products and versions:
- FortiVoice: Versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10
- FortiMail: Versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8
- FortiNDR: Versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6
- FortiRecorder: Versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5
- FortiCamera: Versions 2.1.0 through 2.1.3, 2.0.x, 1.1.x
Why is it noteworthy?
Since this vulnerability is actively exploited, prompt action is crucial to protect Fortinet devices and the networks they secure. Organizations should prioritize patching and investigate for any signs of compromise.
What is the exposure or risk?
Successful exploitation of CVE-2025-32756 can have severe consequences, including:
- Remote code execution (RCE): Attackers can execute arbitrary code or commands on the compromised system, gaining complete control.
- Data breaches: Attackers can access sensitive information, potentially leading to data theft and further malicious activities.
- System compromise: Full control over the affected system allows attackers to modify configurations, install malware, create new user accounts, and pivot to other internal systems.
- Credential theft: As observed in the wild, attackers have used this vulnerability to enable “fcgi debugging,” which logs authentication attempts, including SSH logins, potentially leading to the theft of system credentials.
- Network reconnaissance: Attackers have used compromised devices to scan the internal network for further targets.
- Evasion of detection: Attackers erase system crash logs to hide their activities.
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Upgrade to the latest patched versions:
- FortiVoice: 2.1 or above (for 7.2.0), 7.0.7 or above (for 7.0.0-7.0.6), 6.4.11 or above (for 6.4.0-6.4.10)
- FortiMail: 6.3 or above (for 7.6.0-7.6.2), 7.4.5 or above (for 7.4.0-7.4.4), 7.2.8 or above (for 7.2.0-7.2.7), 7.0.9 or above (for 7.0.0-7.0.8)
- FortiNDR: 6.1 or above (for 7.6.0), 7.4.8 or above (for 7.4.0), 7.2.5 or above (for 7.2.0), 7.0.7 or above (for 7.0.0). 7.1 and 1.1-1.5 should be migrated to a fixed release.
- FortiRecorder: 2.4 or above (for 7.2.0-7.2.3), 7.0.6 or above (for 7.0.0-7.0.5), 6.4.6 or above (for 6.4.0-6.4.5)
- FortiCamera: 1.4 or above. 1.1 & 2.0 should be migrated to a fixed release.
- Disable the HTTP/HTTPS administrative interface to mitigate the risk if immediate patching is not possible.
- Isolate the system if compromised, investigate for lateral movement, and reset credentials.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.rapid7.com/blog/post/2025/05/14/etr-multiple-fortinet-products-cve-2025-32756-exploited-in-the-wild/
- https://thehackernews.com/2025/05/fortinet-patches-cve-2025-32756-zero.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.