CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Last updated at Wed, 14 May 2025 15:21:18 GMT

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

• FortiVoice 7.2 should be upgraded to 7.2.1 or above
• FortiVoice 7.0 should be upgraded to 7.0.7 or above
• FortiVoice 6.4 should be upgraded to 6.4.11 or above
  
• FortiRecorder 7.2 should be upgraded to 7.2.4 or above
• FortiRecorder 7.0 should be upgraded to 7.0.6 or above
• FortiRecorder 6.4 should be upgraded to 6.4.6 or above
  
• FortiNDR 7.6 should be upgraded to 7.6.1 or above
• FortiNDR 7.4 should be upgraded to 7.4.8 or above
• FortiNDR 7.2 should be upgraded to 7.2.5 or above
• FortiNDR 7.1 should be migrated to a fixed release
• FortiNDR 7.0 should be upgraded to 7.0.7 or above
• FortiNDR 1.5 should be migrated to a fixed release
• FortiNDR 1.4 should be migrated to a fixed release
• FortiNDR 1.3 should be migrated to a fixed release
• FortiNDR 1.2 should be migrated to a fixed release
• FortiNDR 1.1 should be migrated to a fixed release
  
• FortiMail 7.6 should be upgraded to 7.6.3 or above
• FortiMail 7.4 should be upgraded to 7.4.5 or above
• FortiMail 7.2 should be upgraded to 7.2.8 or above
• FortiMail 7.0 should be upgraded to 7.0.9 or above
  
• FortiCamera 2.1 should be upgraded to 2.1.4 or above
• FortiCamera 2.0 should be migrated to a fixed release
• FortiCamera 1.1 should be migrated to a fixed release
  

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check expected to be available in the May 14, 2025 content release.