FortiVoice Zero-Day Vulnerability: Critical Remote Code Execution Threat Under Active Exploitation

Fortinet has disclosed a critical security vulnerability affecting its FortiVoice systems and several other products in its security portfolio. This vulnerability has been confirmed to be actively exploited in the wild, posing an immediate threat to businesses using these systems.

 The Vulnerability: CVE-2025-32756

The vulnerability, designated CVE-2025-32756, is a stack-based buffer overflow with a CVSS score of 9.8, rating it as critical. This security flaw allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests to a specific API on affected systems.

What makes this vulnerability particularly dangerous is that it:

• Requires no authentication
• Can be exploited remotely
• Provides complete control over affected systems
• Is already being actively exploited

 Severity and Impact

With its CVSS score of 9.8, this vulnerability is among the most severe threats an organization can face. Successful exploitation gives attackers the ability to:

• Execute arbitrary code with system-level privileges
• Take complete control of affected devices
• Access sensitive communications data
• Use compromised systems as a foothold for further network penetration
• Exfiltrate credentials and other sensitive information

 Exploitation Methods

According to Fortinet’s security advisory, attackers have been observed:

1. Sending specially crafted HTTP requests to vulnerable FortiVoice systems
2. Performing reconnaissance scans of internal networks from compromised devices
3. Deliberately erasing system crash logs to hide their activities
4. Enabling “fcgi debugging” settings to capture credentials and SSH login attempts
5. Deploying malware on compromised systems
6. Creating malicious cron jobs designed to extract and exfiltrate sensitive information

 Affected Products

While exploitation has primarily targeted FortiVoice systems, the vulnerability affects multiple Fortinet products:

• FortiVoice versions 6.4.0 through 6.4.10, 7.0.0 through 7.0.6, and 7.2.0
• FortiMail versions up to 7.6.2
• FortiNDR versions up to 7.6.0
• FortiRecorder versions up to 7.2.3
• FortiCamera versions up to 2.1.3

 The Threat Actors

While Fortinet hasn’t attributed this campaign to any specific threat group, the sophistication of the attack and targeting of enterprise communication systems suggests this may be the work of advanced persistent threat (APT) actors. The focus on voice communication systems indicates potential interest in intelligence gathering or corporate espionage.

The attackers have deployed multiple types of malicious code, created backdoors, and implemented persistence mechanisms—all signs of a sophisticated adversary with specific targeting objectives.

 At-Risk Organizations

Any organization using the affected Fortinet products is at risk, but particularly vulnerable are:

• Businesses using FortiVoice for enterprise communications
• Organizations that haven’t implemented the latest security patches
• Networks with FortiVoice systems directly accessible from the internet
• Enterprises where voice/unified communications contain sensitive information

 Remediation Steps

Fortinet has released patches addressing this vulnerability. Organizations should:

1. Immediately update affected systems to the latest patched versions:
   • FortiVoice to version 7.2.1, 7.0.7, or 6.4.11
   • FortiMail to version 7.6.3, 7.4.5, 7.2.8, or 7.0.9
   • FortiNDR to version 7.6.1, 7.4.8, 7.2.5, or 7.0.7
   • FortiRecorder to version 7.2.4, 7.0.6, or 6.4.6
   • FortiCamera to version 2.1.4
2. For systems that cannot be immediately updated, implement the recommended workaround:
   • Disable the HTTP/HTTPS administrative interface
   • If administrative access is required, restrict it to trusted IP addresses only
3. Check for indicators of compromise provided by Fortinet:
   • Look for suspicious log entries in httpd trace logs
   • Check for unauthorized file modifications
   • Search for malicious cron jobs
4. If compromise is suspected, consider:
   • Isolating affected systems
   • Performing a full system reset
   • Changing all credentials

 How CinchOps Can Help

At CinchOps, we understand that vulnerabilities like CVE-2025-32756 represent a significant threat to your business operations and data security. Our comprehensive managed IT services provide protection against such threats through:

1. Proactive Security Monitoring: Our team continuously monitors for new vulnerabilities and ensures your systems are protected before they can be exploited.
2. Rapid Patch Management: We implement critical security patches quickly to minimize your exposure window to active threats.
3. Vulnerability Assessments: Regular scans of your network identify and address potential security gaps before attackers can exploit them.
4. Incident Response: Should a breach occur, our expert team will identify, contain, and remediate the threat while minimizing business impact.

Don’t wait until your business becomes a victim of cybercriminals exploiting these dangerous vulnerabilities. Contact CinchOps today to secure your IT infrastructure against emerging threats like the FortiVoice vulnerability and many others that emerge daily in our increasingly connected world.

Our team of seasoned IT professionals in the Katy and Houston areas can provide the managed IT support your small or medium-sized business needs to stay protected in today’s challenging threat environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft May 2025 Patch Tuesday: Addresses 5 Actively Exploited Critical Zero-Days
For Additional Information on this topic: Zero-day exploited to compromise Fortinet FortiVoice systems

FREE CYBERSECURITY ASSESSMENT