Fortinet

Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.

The security flaw is a stack-based overflow vulnerability tracked as CVE-2025-32756 that also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

As the company explains in a security advisory issued on Tuesday, successful exploitation can allow remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests.

Fortinet's Product Security Team discovered CVE-2025-32756 based on attackers' activity, including network scans, system crashlogs deletion to cover their tracks, and 'fcgi debugging' being toggled on to log credentials from the system or SSH login attempts.

As detailed in today's security advisory, the threat actors have launched attacks from half a dozen IP addresses, including 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187.69[.]244, and 218.187.69[.]59.

Indicators of compromise spotted by Fortinet during the attacks' analysis include the 'fcgi debugging' setting (which isn't toggled on by default), enabled on compromised systems.

To check if this setting is turned on on your system, you should see "general to-file ENABLED" after running the following command: diag debug application fcgi.

While investigating these attacks, Fortinet has observed the threat actors deploying malware on hacked devices, adding cron jobs designed to harvest credentials, and dropping scripts to scan the victims' networks.

The company also shared mitigation advice for customers who can't immediately install today's security updates, which requires them to disable the HTTP/HTTPS administrative interface on vulnerable devices.

Last month, the Shadowserver Foundation discovered over 16,000 internet-exposed Fortinet devices compromised using a new symlink backdoor that provides threat actors with read-only access to sensitive files on now-patched devices hacked in previous attacks.

In early April, Fortinet also warned of a critical FortiSwitch vulnerability that can be exploited to change administrator passwords remotely.

Tines Needle

8 Common Threats in 2025

While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.

Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.

Related Articles:

Hackers exploited Windows WebDav zero-day to drop malware

Hackers are exploiting critical flaw in vBulletin forum software

Ivanti fixes EPMM zero-days chained in code execution attacks

Output Messenger flaw exploited as zero-day in espionage attacks

Samsung MagicINFO 9 Server RCE flaw now exploited in attacks