On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple FortiNet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.
Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.
Mitigation guidance
Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.
FortiVoice 7.2 should be upgraded to 7.2.1 or above
FortiVoice 7.0 should be upgraded to 7.0.7 or above
FortiVoice 6.4 should be upgraded to 6.4.11 or above
FortiRecorder 7.2 should be upgraded to 7.2.4 or above
FortiRecorder 7.0 should be upgraded to 7.0.6 or above
FortiRecorder 6.4 should be upgraded to 6.4.6 or above
FortiNDR 7.6 should be upgraded to 7.6.1 or above
FortiNDR 7.4 should be upgraded to 7.4.8 or above
FortiNDR 7.2 should be upgraded to 7.2.5 or above
FortiNDR 7.1 should be migrated to a fixed release
FortiNDR 7.0 should be upgraded to 7.0.7 or above
FortiNDR 1.5 should be migrated to a fixed release
FortiNDR 1.4 should be migrated to a fixed release
FortiNDR 1.3 should be migrated to a fixed release
FortiNDR 1.2 should be migrated to a fixed release
FortiNDR 1.1 should be migrated to a fixed release
FortiMail 7.6 should be upgraded to 7.6.3 or above
FortiMail 7.4 should be upgraded to 7.4.5 or above
FortiMail 7.2 should be upgraded to 7.2.8 or above
FortiMail 7.0 should be upgraded to 7.0.9 or above
FortiCamera 2.1 should be upgraded to 2.1.4 or above
FortiCamera 2.0 should be migrated to a fixed release
FortiCamera 1.1 should be migrated to a fixed release
For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.
Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check available in the May 14, 2025 content release.
Source: Rapid7
Source Link: https://blog.rapid7.com/2025/05/14/etr-multiple-fortinet-products-cve-2025-32756-exploited-in-the-wild/