The flaw, tracked as CVE-2025-32756, impacts several Fortinet platforms, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. These systems are widely used in enterprise environments for communication, security, and surveillance.
Critical Buffer Overflow Vulnerability
At the center of the alert is a stack-based buffer overflow vulnerability (CWE-124) that allows remote, unauthenticated attackers to execute arbitrary code. Attackers can exploit the flaw by sending specially crafted HTTP requests to vulnerable devices.
The vulnerability carries a CVSS v3 score of 9.6, indicating its high severity and the urgent need for mitigation.
Fortinet has confirmed that the flaw is being exploited in real-world attacks. Initial intrusions have focused on FortiVoice appliances, where attackers have:
- Scanned internal networks
- Deleted crash logs to cover activity
- Enabled debug logging to capture authentication attempts
- Installed malware and cron jobs to steal credentials
- Used scripts for deeper network reconnaissance
Indicators and Ongoing Threats
Fortinet has released indicators of compromise (IoCs), which include unauthorized cron jobs, suspicious system file modifications, and unknown binaries. Several attacker IP addresses have also been published to support threat detection efforts.
While no specific threat group has been publicly linked to the attacks, security analysts warn that both criminal and nation-state actors have exploited Fortinet vulnerabilities in the past. Broader exploitation is considered likely if proof-of-concept code is released.
CISA Orders Immediate Mitigation
CISA has added CVE-2025-32756 to its Known Exploited Vulnerabilities (KEV) catalog and has mandated federal agencies to fix the issue by June 4, 2025.
The agency is urging all organizations—not just federal agencies—to apply available patches from Fortinet. Those unable to update immediately are advised to disable the administrative HTTP/HTTPS interface as a temporary workaround.
With thousands of affected Fortinet devices exposed online, experts stress the need for immediate action. System administrators should monitor for IoCs, review system logs, and apply security updates without delay.
“Fortinet vulnerabilities have historically been common targets for cyber attackers,” one analyst noted. “When a proof-of-concept emerges, attackers are quick to take advantage—especially since Fortinet devices have previously been exploited by advanced threat actors.”
Organizations are strongly advised to act now to protect networks and sensitive data from this critical threat.
