Fortinet Addresses Code Execution Vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder & FortiCamera (CVE-2025-32756)

Posted by Author Diksha Ojha on Posted on

Fortinet released a security advisory to address a critical severity vulnerability impacting FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Tracked as CVE-2025-32756, the vulnerability has a CVSS score of 9.6.

A remote unauthenticated attacker may exploit the stack-based overflow vulnerability to execute arbitrary code or commands via crafted HTTP requests.

In their advisory, Fortinet mentioned that there are reports of the vulnerability being exploited in the wild on FortiVoice instances.

CISA acknowledged the vulnerability’s active exploitation by adding it to its Known Exploited Vulnerabilities Catalog and urging users to patch it before June 4, 2025.

Indicator of Compromises (IoCs)

The Threat Actor (TA) has been seen using the following IP addresses:

  • 198.105.127.124
  • 43.228.217.173
  • 43.228.217.82
  • 156.236.76.90
  • 218.187.69.244
  • 218.187.69.59

Affected Versions

  • FortiCamera 2.1 versions 2.1.0 through 2.1.3
  • FortiCamera 2.0 all versions
  • FortiCamera 1.1 all versions
  • FortiMail 7.6 versions 7.6.0 through 7.6.2
  • FortiMail 7.4 versions 7.4.0 through 7.4.4
  • FortiMail 7.2 versions 7.2.0 through 7.2.7
  • FortiMail 7.0 versions 7.0.0 through 7.0.8
  • FortiNDR 7.6 version 7.6.0
  • FortiNDR 7.4 versions 7.4.0 through 7.4.7
  • FortiNDR 7.2 versions 7.2.0 through 7.2.4
  • FortiNDR 7.1 all versions
  • FortiNDR 7.0 versions 7.0.0 through 7.0.6
  • FortiNDR 1.5 all versions
  • FortiNDR 1.4 all versions
  • FortiNDR 1.3 all versions
  • FortiNDR 1.2 all versions
  • FortiNDR 1.1 all versions
  • FortiRecorder 7.2 versions 7.2.0 through 7.2.3
  • FortiRecorder 7.0 versions 7.0.0 through 7.0.5
  • FortiRecorder 6.4 versions 6.4.0 through 6.4.5
  • FortiVoice 7.2 versions 7.2.0
  • FortiVoice 7.0 versions 7.0.0 through 7.0.6
  • FortiVoice 6.4 versions 6.4.0 through 6.4.10

Mitigation

Users must upgrade to the following versions to patch the vulnerability:

  • FortiCamera 2.1 version 2.1.4 or above
  • For FortiCamera 2.0, upgrade to the latest fixed version
  • For FortiCamera 1.1, upgrade to the latest fixed version
  • FortiMail 7.6 version 7.6.3 or above
  • FortiMail 7.4 version 7.4.5 or above
  • FortiMail 7.2 version 7.2.8 or above
  • FortiMail 7.0 version 7.0.9 or above
  • FortiNDR 7.6 version 7.6.1 or above
  • FortiNDR 7.4 version 7.4.8 or above
  • FortiNDR 7.2 version 7.2.5 or above
  • For FortiNDR 7.1, upgrade to the latest fixed version
  • FortiNDR 7.0 version 7.0.7 or above
  • For FortiNDR 1.5, upgrade to the latest fixed version
  • For FortiNDR 1.4, upgrade to the latest fixed version
  • For FortiNDR 1.3, upgrade to the latest fixed version
  • For FortiNDR 1.2, upgrade to the latest fixed version
  • For FortiNDR 1.1, upgrade to the latest fixed version
  • FortiRecorder 7.2 version 7.2.4 or aboveFortiRecorder 7.0 version 7.0.6 or above
  • FortiRecorder 6.4 version 6.4.6 or above
  • FortiVoice 7.2 version 7.2.1 or above
  • FortiVoice 7.0 version 7.0.7 or above
  • FortiVoice 6.4 version 6.4.11 or above

Please refer to the Fortinet PSIRT Advisory (FG-IR-25-254) for more information.

Workaround

FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera users may disable the HTTP/HTTPS administrative interface as a temporary workaround.

Qualys Detection

Qualys customers can scan their devices with QID 383234 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

Reference
https://fortiguard.fortinet.com/psirt/FG-IR-25-254

Leave a Reply

Your email address will not be published. Required fields are marked *