Security Incident Response Team

May 21, 2025, 8:32 p.m.

Description

A critical vulnerability in various Fortinet products allows remote attackers to execute arbitrary code via crafted HTTP requests. Observed exploitation on FortiVoice involved network scanning, erasing system logs, and enabling fcgi debugging to capture credentials. Affected products include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera across multiple versions. The threat actor used specific IP addresses and modified system files and settings. Indicators of compromise include added malicious files, modified cron jobs, and altered configuration files. Fortinet recommends upgrading to patched versions or disabling the HTTP/HTTPS administrative interface as a workaround.

External References

https://otx.alienvault.com/pulse/6824e782b9b3cd96d2f35db3
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Tags
credential theft
remote code execution
buffer overflow
network scanning
2025-05-14
fortivoice
CVE-2025-32756
fortindr
forticamera
fortimail
log manipulation
fortirecorder

Date

  • Created: May 14, 2025, 6:57 p.m.
  • Published: May 14, 2025, 6:57 p.m.
  • Modified: May 21, 2025, 8:32 p.m.

Indicators

  • 43.228.217.173
  • 43.228.217.82
  • 218.187.69.59
  • 218.187.69.244
  • 198.105.127.124
  • 156.236.76.90
Download all indicators here!

Attack Patterns

Linked vulnerabilities

CVE-2025-32756

None
Published: