CVE-2025-32756: FortiVoice Zero-Day Exploit Alert

May 21, 2025, 8:05 p.m.

Description

A critical zero-day vulnerability (CVE-2025-32756) in multiple Fortinet products, including FortiVoice, has been actively exploited. The flaw is a stack-based buffer overflow that allows remote code execution without authentication. Attackers can gain full control of affected systems, access sensitive data, and pivot to other internal networks. The vulnerability stems from an enabled fcgi debugging option, which is not a default setting. Fortinet has released patches and recommends immediate action. Detection methods include checking for enabled fcgi debugging and monitoring specific log entries. The threat actor has been observed conducting network scans, deleting crash logs, and enabling FCGI debugging to capture credentials.

External References

https://www.truesec.com/hub/blog/cve-2025-32756-fortivoice-zero-day-buffer-overflow-exploited
https://otx.alienvault.com/pulse/6824a0fede556d118cac2b22
Tags
zero-day
fortinet
patch
2025-05-14
fortivoice
remote-code-execution
credential-capture
CVE-2025-32756
network-scan
buffer-overflow

Date

  • Created: May 14, 2025, 1:56 p.m.
  • Published: May 14, 2025, 1:56 p.m.
  • Modified: May 21, 2025, 8:05 p.m.

Indicators

  • 43.228.217.173
  • 43.228.217.82
  • 218.187.69.59
  • 218.187.69.244
  • 198.105.127.124
  • 156.236.76.90
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2025-32756

None
Published: