Do Son 
Fortinet has released an urgent security update to address a critical vulnerability affecting its enterprise telephony systems, FortiVoice. Security researchers have confirmed that the flaw has already been exploited in real-world attacks prior to the deployment of a protective patch.
The vulnerability, assigned the identifier CVE-2025-32756, received a near-maximum severity score of 9.6 out of 10. It stems from a stack-based buffer overflow (CWE-121) and affects multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. By sending specially crafted HTTP requests, attackers can remotely execute arbitrary code on vulnerable devices without requiring authentication.
Fortinet’s security team documented a wave of targeted intrusions against FortiVoice systems. Attackers followed a deliberate modus operandi—scanning networked devices, erasing system failure logs, and enabling FCGI debugging to intercept login credentials during system access or SSH attempts.
The investigation identified six IP addresses linked to the attacks: 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59. Fortinet has not disclosed the full scope of the breach or the identities of the threat actors involved.
Patches have been issued for all affected software versions. FortiMail users should upgrade to versions 7.0.9, 7.2.8, 7.4.5, or 7.6.3, depending on their release branch. For FortiNDR, updates to versions 7.0.7, 7.2.5, 7.4.8, or 7.6.1 are recommended. FortiRecorder users should install versions 6.4.6, 7.0.6, or 7.2.4. FortiVoice systems require upgrades to versions 6.4.11, 7.0.7, or 7.2.1.
Certain products require special attention. FortiCamera versions 1.1 and 2.0, along with FortiNDR versions 1.1–1.5 and 7.1, must be fully migrated to patched releases. FortiCamera 2.1.x users can apply version 2.1.4 or later as a remedy.
For organizations unable to update immediately, Fortinet advises temporary mitigation by disabling the HTTP/HTTPS administrative interface on affected devices—an interim safeguard to reduce exposure until a permanent fix can be applied.
Donate