Fortinet patched a critical security flaw that it said was exploited as zero-day in an attack targeting Fortivoice’s enterprise phone system.
The vulnerability tracked as CVE-2025-32756 has a CVSS score of 9.6 out of 10.0.
“Stack-based overflow vulnerability [CWE-121] “Fortivoice, Fortimail, Fortindr, Fortirecorder, and Forticamera could allow remote, uncertified attackers to execute arbitrary code or commands via created HTTP requests,” the company said in its advisory.
The company said that while defects being exploited in the wild in the Fortivoice system were observed, it did not disclose the scale of the attack and the threat identity behind threat actors.
Additionally, it allowed threat actors to perform device network scans, clear system crash logs, and FCGI debug logged credentials or SSH login attempts from the system.
This issue affects the following products and versions –
Forticamera 1.1, 2.0 (Move to fixed release) Forticamera 2.1.x (Upgraded to 2.1.4 or later) Fortimail 7.0.x (Upgraded to 7.0.9 or later) 7.2.x (Upgraded to 7.2.8 or later) Fortimail 7.4.x (Upgraded to 7.4.5 or later) Fortindr 1.1, 1.2, 1.3, 1.4, 1.5, 7.1 (Migrate to fixed release) Fortindr 7.0.x (Upgraded to 7.0.7 or later) Fortindr 7.2.x (Upgraded to 7.2.5 or later) 7.4.x (Upgraded to 7.4.8 or above) Fortindr 7.6.x 6.4.6 or later) Fortirecorder 7.0.x (Upgraded to 7.0.6 or later) Fortirecorder 7.2.x (upgraded to 7.2.4 or later) Fortivoice 6.4.x (upgraded to 6.4.11 or later) 7.0.x (upgraded to 7.0.7 or later) (7.2.1 or later)
Fortinet said the vulnerability was discovered by the product security team based on threat actor activity that originated from the following IP addresses:
198.105.127.124 43.228.217.173 43.228.217.82 156.236.76.90 218.187.69.244 218.187.69.59
Fortivoice, Fortimail, Fortindr, Fortirecorder and Forticamera users are advised to apply the necessary fixes to protect their devices from aggressive exploitation attempts. If immediate patching is not an option, we recommend disabling the HTTP/HTTPS management interface as a temporary workaround.
Source link
