Fortinet has disclosed a critical stack-based buffer overflow vulnerability (CVE-2025-32756) affecting multiple products in its security portfolio, with confirmed exploitation targeting FortiVoice systems in the wild.
The vulnerability, assigned a CVSS score of 9.6, allows remote unauthenticated attackers to execute arbitrary code or commands through specially crafted HTTP requests, potentially giving them complete control over affected devices.
The critical security flaw, categorized as a stack-based buffer overflow, impacts FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products across numerous versions.
.png
)
Security researchers at Fortinet discovered the vulnerability after observing active exploitation attempts against FortiVoice deployments. The vulnerability was officially disclosed on May 13, 2025, with Fortinet immediately releasing security patches for all affected products.
“A stack-based overflow vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests,” states the official Fortinet advisory.
This type of vulnerability is particularly concerning as it requires no authentication and can be exploited remotely, giving attackers significant leverage over compromised systems.
Observed Attack Patterns
Fortinet has documented specific activities performed by threat actors exploiting this vulnerability in FortiVoice deployments. The observed attack pattern includes network reconnaissance, deliberate erasure of system crash logs to hide malicious activities, and enabling FCGI debugging to capture credentials from the system or log SSH login attempts.
Security researchers have identified multiple indicators of compromise (IoCs) associated with these attacks, including suspicious log entries in the httpd trace logs, unauthorized modifications to system files, and malicious cron jobs designed to exfiltrate sensitive information. Six IP addresses have been linked to the attack campaign, including 198.105.127.124 and 218.187.69.244.
(IoCs) for FortiVoice 0-day (CVE-2025-32756)
| Category | Indicator / Detail | Description / Purpose | 
|---|---|---|
| Log Entries | [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection | Error in httpd logs indicating abnormal FastCGI behavior | 
| [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11 | Signal 11 (segmentation fault) in httpd trace log | |
| Malicious Files | /bin/wpad_ac_helper(MD5: 4410352e110f82eabc0bf160bec41d21) | Main malware file added by attacker | 
| /bin/busybox(MD5: ebce43017d2cb316ea45e08374de7315, 489821c38f429a21e1ea821f8460e590) | Malicious or replaced utility | |
| /lib/libfmlogin.so(MD5: 364929c45703a84347064e2d5de45bcd) | Malicious library for logging SSH credentials | |
| /tmp/.sshdpm | Contains credentials gathered by malicious library | |
| /bin/fmtest(MD5: 2c8834a52faee8d87cff7cd09c4fb946) | Script to scan the network | |
| /var/spool/.sync | Credentials exfiltrated here by cron jobs | |
| Modified Files | /data/etc/crontab | Cron job added to grep sensitive data from fcgi.debug | 
| /var/spool/cron/crontabs/root | Cron job added to backup fcgi.debug | |
| /etc/pam.d/sshd | Malicious lines added to load libfmlogin.so | |
| /etc/httpd.conf | Line added to load socks5 module | |
| Malicious Settings | fcgi debug level is 0x80041general to-file ENABLED | FCGI debugging enabled (not default); logs credentials | 
| Threat Actor IPs | 198.105.127.124 43.228.217.173 43.228.217.82 156.236.76.90 218.187.69.244 218.187.69.59 | IP addresses observed in attack activity | 
| Malicious Cron Jobs | 0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug | Extracts passwords from logs every 12 hours | 
| 0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug | Backs up FCGI debug logs every 12 hours | 
The vulnerability affects numerous product versions across Fortinet’s portfolio. FortiVoice versions 6.4.0 through 6.4.10, 7.0.0 through 7.0.6, and 7.2.0 are vulnerable and require immediate updates. Similarly, various versions of FortiMail (up to 7.6.2), FortiNDR (all 1.x versions and 7.x versions prior to 7.6.1), FortiRecorder (up to 7.2.3), and FortiCamera (up to 2.1.3) are affected.
Fortinet strongly recommends customers update to the latest patched versions as soon as possible. Organizations unable to update immediately should consider the provided workaround of disabling HTTP/HTTPS administrative interfaces to mitigate the risk.
This incident follows a pattern of security vulnerabilities affecting Fortinet products in recent years. Earlier in 2025, Fortinet patched another critical vulnerability (CVE-2024-55591) that was also exploited in the wild.
In late 2022, Fortinet addressed an authentication bypass vulnerability (CVE-2022-40684) that Chinese and Russian cyber-espionage groups actively exploited.
Security experts emphasize that network security appliances like FortiVoice are high-value targets for attackers due to their privileged position within corporate networks and access to sensitive communications.
Organizations using any of the affected Fortinet products should prioritize this security advisory and implement the recommended mitigations immediately.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar




