On 13 May 2025, Fortinet published a security advisory on a critical severity stack-based overflow vulnerability, CVE-2025-32756, impacting FortiVoice, FortiCamera, FortiMail, FortiNDR, and FortiRecorder. The vulnerability allows remote unauthenticated threat actors to execute arbitrary code or commands via crafted HTTP requests.
In the advisory Fortinet stated that the vulnerability has been exploited in the wild on FortiVoice. The advisory includes indicators of compromise (IoCs), also disclosing that in observed attacks threat actors have deployed malware on compromised devices, stolen credentials via cron jobs, and utilised scripts to conduct network reconnaissance.
As threat actors have a history of targeting Fortinet products, exploitation will likely continue and may include additional affected products.
Recommendations for CVE-2025-32756
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade the Fortinet products to the latest fixed version.
| Product | Affected Version | Fixed Version |
| FortiVoice 7.2 | 7.2.0 | 7.2.1 or above |
| FortiVoice 7.0 | 7.0.0 through 7.0.6 | 7.0.7 or above |
| FortiVoice 6.4 | 6.4.0 through 6.4.10 | 6.4.11 or above |
| FortiCamera 2.1 | 2.1.0 through 2.1.3 | 2.1.4 or above |
| FortiMail 7.6 | 7.6.0 through 7.6.2 | 7.6.3 or above |
| FortiMail 7.4 | 7.4.0 through 7.4.4 | 7.4.5 or above |
| FortiMail 7.2 | 7.2.0 through 7.2.7 | 7.2.8 or above |
| FortiMail 7.0 | 7.0.0 through 7.0.8 | 7.0.9 or above |
| FortiNDR 7.6 | 7.6.0 | 7.6.1 or above |
| FortiNDR 7.4 | 7.4.0 through 7.4.7 | 7.4.8 or above |
| FortiNDR 7.2 | 7.2.0 through 7.2.4 | 7.2.5 or above |
| FortiNDR 7.0 | 7.0.0 through 7.0.6 | 7.0.7 or above |
| FortiRecorder 7.2 | 7.2.0 through 7.2.3 | 7.2.4 or above |
| FortiRecorder 7.0 | 7.0.0 through 7.0.5 | 7.0.6 or above |
| FortiRecorder 6.4 | 6.4.0 through 6.4.5 | 6.4.6 or above |
Note: As all versions of FortiCamera 2.0, FortiCamera 1.1, FortiNDR 7.1, FortiNDR 1.5, FortiNDR 1.4, FortiNDR 1.3, FortiNDR 1.2, and FortiNDR 1.1 are affected by the vulnerability, Fortinet recommends customers migrate to a fixed release.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Workaround
For users unable to immediately upgrade to a fixed version, Fortinet recommends disabling the HTTP/HTTPS administrative interface.
