The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding five zero-day vulnerabilities affecting multiple Fortinet products, after evidence emerged of active exploitation in the wild.
The vulnerabilities, tracked as CVE-2025-32756, impact Fortinet’s FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera platforms, widely used in enterprise environments for unified communications, email, network detection, and video surveillance.
Critical Stack-Based Buffer Overflow
The core of the threat is a critical stack-based buffer overflow vulnerability (CWE-124) that allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests to vulnerable devices.
The flaw carries a CVSS v3 score of 9.6, underscoring its severity and potential impact on affected organizations.
Fortinet confirmed that the vulnerability has been exploited in the wild, with initial attacks targeting FortiVoice appliances. Attackers have demonstrated the ability to:
- Scan internal device networks.
- Erase system crashlogs to cover their tracks.
- Enable ‘fcgi debugging’ to log authentication attempts, including SSH logins.
- Deploy malware and cron jobs to harvest credentials.
- Drop scripts for further network reconnaissance.
Indicators of compromise (IoCs) published by Fortinet include suspicious log entries, modifications to system files, and the presence of unauthorized cron jobs and binaries.
Several IP addresses linked to the attacks have also been disclosed to aid in threat hunting.
As of now, there is no public attribution to specific threat actors, nor confirmed links to ransomware campaigns.
However, given the history of Fortinet vulnerabilities being leveraged by both cybercriminal and nation-state actors, security experts warn that broader exploitation could soon follow.
CISA’s Directive and Mitigation Steps
CISA has added CVE-2025-32756 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the flaw by June 4, 2025.
The agency urges all organizations, not just federal entities, to apply vendor-provided patches immediately, follow Binding Operational Directive (BOD) 22-01 guidance for cloud services, or discontinue use of affected products if mitigations are unavailable.
For those unable to upgrade immediately, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround.
With thousands of Fortinet devices potentially exposed to the internet, the risk of rapid escalation is high.
Security experts emphasize the urgency of patching, monitoring for IoCs, and reviewing system logs for unauthorized changes.
“Fortinet vulnerabilities have historically been common targets for cyber attackers… When a proof-of-concept is released, we expect attackers will incorporate this vulnerability in their attacks as Fortinet devices have been exploited by threat actors, including nation-state actors in the past.”
Organizations are advised to act swiftly to protect their networks and sensitive data from this critical threat.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
