A critical zero-day vulnerability (CVE-2025-32756) in multiple Fortinet products, including FortiVoice, has been actively exploited. The flaw is a stack-based buffer overflow that allows remote code execution without authentication. Attackers can gain full control of affected systems, access sensitive data, and pivot to other internal networks. The vulnerability stems from an enabled fcgi debugging option, which is not a default setting. Fortinet has released patches and recommends immediate action. Detection methods include checking for enabled fcgi debugging and monitoring specific log entries. The threat actor has been observed conducting network scans, deleting crash logs, and enabling FCGI debugging to capture credentials. Author: AlienVault
Related Tags:
network-scan
cve-2025-32756
fortinet
credential-capture
remote-code-execution
fortivoice
patch
T1078.001
T1070.004
Associated Indicators:
4410352E110F82EABC0BF160BEC41D21
364929C45703A84347064E2D5DE45BCD
198.105.127.124
156.236.76.90
43.228.217.82
218.187.69.59
218.187.69.244
43.228.217.173