Updates have been issued by Fortinet to address a critical zero-day remote code execution vulnerability, tracked as CVE-2025-32756, which has already been leveraged to compromise FortiVoice enterprise phone systems, according to BleepingComputer.
Attackers have used six IP addresses to launch intrusions exploiting the stack-based overflow bug and deliver credential-stealing malware against systems that had the 'fcgi debugging' setting activated, reported Fortinet's Product Security Team, which also noted the flaw to impact the company's FortiNDR, FortiMail, FortiCamera, and FortiRecorder offerings. Immediate application of the released patches has been recommended. However, Fortinet noted that organizations that could not do so should deactivate their instances' HTTP/HTTPS administrative interface. Such a development comes weeks after more than 16,000 online Fortinet devices were found by the Shadowserver Foundation to have been infected with a novel symlink backdoor that enabled read-only access to files in previously compromised devices that have since been remediated.
Attackers have used six IP addresses to launch intrusions exploiting the stack-based overflow bug and deliver credential-stealing malware against systems that had the 'fcgi debugging' setting activated, reported Fortinet's Product Security Team, which also noted the flaw to impact the company's FortiNDR, FortiMail, FortiCamera, and FortiRecorder offerings. Immediate application of the released patches has been recommended. However, Fortinet noted that organizations that could not do so should deactivate their instances' HTTP/HTTPS administrative interface. Such a development comes weeks after more than 16,000 online Fortinet devices were found by the Shadowserver Foundation to have been infected with a novel symlink backdoor that enabled read-only access to files in previously compromised devices that have since been remediated.
