Ethical Hacking News
Fortinet has acknowledged a critical remote code execution zero-day vulnerability actively exploited in attacks targeting their FortiVoice enterprise phone systems. This vulnerability poses significant risks to organizations utilizing these systems, emphasizing the need for prompt action to address the issue.
Cybersecurity vendor Fortinet has acknowledged a critical remote code execution zero-day vulnerability in their FortiVoice enterprise phone systems. The vulnerability, CVE-2025-32756, allows remote unauthenticated attackers to execute arbitrary code via malicious HTTP requests. Fortinet has released security updates to address the vulnerability and mitigates the threat. Organizations using FortiVoice systems must apply security patches promptly and inspect their networks for signs of exploitation.
In a recent update, cybersecurity vendor Fortinet has acknowledged a critical remote code execution zero-day vulnerability actively exploited in attacks targeting their FortiVoice enterprise phone systems. This development comes as a stark reminder of the ongoing cat-and-mouse game between cyber attackers and vendors who strive to protect users from such malicious activities.
The vulnerability, tracked under the identifier CVE-2025-32756, is a stack-based overflow issue that impacts several Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This particular vulnerability allows remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests.
According to Fortinet's security advisory, the threat actor that exploited this flaw scanned the network, erased crash logs, and enabled fcgi debugging to capture system or SSH login credentials. Furthermore, attackers deployed malware on compromised servers, added credential-stealing cron jobs, and utilized scripts to scan victim networks. The attack vectors employed by these malicious actors are a testament to their sophisticated tactics.
Fortinet observed attacks originating from several IP addresses including 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187.69[.]244, and 218.187.69[.]59. Indicators of Compromise (IOCs) also revealed the 'fcgi debugging' setting was enabled on compromised systems.
To verify if fcgi debugging is indeed enabled on a system, users are advised to use the CLI command: "diag debug application fcgi." If the output shows "general to-file ENABLED," it signifies that fcgi debugging is active on such a system. This setting is not typically enabled and therefore could indicate an IOC.
Fortinet Product Security Team discovered this critical vulnerability. The company has released security updates to address CVE-2025-32756, thus mitigating the threat posed by this vulnerability.
It is essential for organizations utilizing FortiVoice enterprise phone systems to apply these security patches promptly and thoroughly inspect their networks to identify any signs of exploitation. Moreover, users must be vigilant about potential network scanning and malicious activity stemming from exploits like CVE-2025-32756.
In conclusion, the acknowledgment of a critical vulnerability in FortiVoice by Fortinet underscores the ongoing struggle against sophisticated cyber threats that can exploit vulnerabilities in widely used systems. As organizations strive to bolster their security posture, they must remain vigilant and proactive against emerging threats such as CVE-2025-32756.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Admits-to-a-Critical-Vulnerability-in-FortiVoice-Enterprise-Phone-Systems-ehn.shtml
https://securityaffairs.com/177800/security/fortinet-fixed-actively-exploited-fortivoice-zero-day.html
https://nvd.nist.gov/vuln/detail/CVE-2025-32756
https://www.cvedetails.com/cve/CVE-2025-32756/
Published: Wed May 14 05:17:05 2025 by llama3.2 3B Q4_K_M
