FortiVoice Zero-Day Vulnerability (CVE-2025-32756) Exploited in the Wild

Summary

Fortinet has disclosed a critical stack-based buffer overflow vulnerability, identified as CVE-2025-32756, affecting multiple products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows remote, unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The vulnerability has been actively exploited in the wild, with confirmed attacks targeting FortiVoice systems.

Risks

Exploitation of CVE-2025-32756 poses significant risks:

• Remote Code Execution: Attackers can gain full control over affected systems without authentication.

• Credential Theft: Enabling FCGI debugging allows attackers to log system and SSH credentials.

• Persistence and Lateral Movement: Malicious cron jobs and modified system files facilitate ongoing access and potential spread within networks.

• Data Exfiltration: Sensitive information can be extracted, leading to potential data breaches.

Affected Versions

The following product versions are impacted:

• FortiVoice: 6.4.0–6.4.10, 7.0.0–7.0.6, 7.2.0

• FortiMail: 7.0.0–7.0.8, 7.2.0–7.2.7, 7.4.0–7.4.4, 7.6.0–7.6.2

• FortiNDR: 1.1–1.5, 7.0.0–7.0.6, 7.2.0–7.2.4, 7.4.0–7.4.7, 7.6.0

• FortiRecorder: 6.4.0–6.4.5, 7.0.0–7.0.5, 7.2.0–7.2.3

• FortiCamera: 1.1, 2.0, 2.1.0–2.1.3

Users are advised to upgrade to the latest versions to mitigate the vulnerability.

Remediation

Fortinet has released patches addressing CVE-2025-32756 for all affected products. Organizations should:

1. Apply Patches: Update to the latest firmware versions as specified in Fortinet’s advisory.

2. Disable HTTP/HTTPS Administrative Interface: If immediate patching isn’t feasible, disable these interfaces to reduce exposure.

3. Review System Logs: Check for indicators of compromise, such as unusual log entries or unauthorized system modifications.

4. Monitor Network Activity: Be vigilant for signs of lateral movement or data exfiltration.

Implementing these steps will help safeguard systems against potential exploitation.

Indicators of Compromise (IoCs)

Fortinet has identified several IoCs associated with the exploitation of CVE-2025-32756:

Log Entries

• [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection

• [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11

Malicious Files

• /bin/wpad_ac_helper (MD5: 4410352e110f82eabc0bf160bec41d21)

• /bin/busybox (MD5: ebce43017d2cb316ea45e08374de7315, 489821c38f429a21e1ea821f8460e590)

• /lib/libfmlogin.so (MD5: 364929c45703a84347064e2d5de45bcd)

• /tmp/.sshdpm

• /bin/fmtest (MD5: 2c8834a52faee8d87cff7cd09c4fb946)

• /var/spool/.sync

Modified Files

• /data/etc/crontab

• /var/spool/cron/crontabs/root

• /etc/pam.d/sshd

• /etc/httpd.conf

Malicious Settings

• fcgi debug level is 0x80041

• general to-file ENABLED

Threat Actor IPs

• 198.105.127.124

• 43.228.217.173

• 43.228.217.82

• 156.236.76.90

• 218.187.69.244

• 218.187.69.59 

Conclusion

The active exploitation of CVE-2025-32756 underscores the critical importance of timely vulnerability management. Organizations using Fortinet products, especially FortiVoice, must act swiftly to apply patches and implement recommended mitigations. Continuous monitoring and adherence to security best practices are essential to protect against such threats.

References

• FortiVoice 0-day Vulnerability Exploited in the Wild to Execute Arbitrary Code

• Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems

• CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild