Less than two weeks ago, a threat actor exposed sensitive data from 15,000 FortiGate firewalls on the dark web. The leaked information included IPs, passwords, and configuration details. This security breach creates major risks for organizations worldwide. The data leak seems to come from customer firewalls that were compromised back in 2022.

The situation stems from a new Fortinet zero-day vulnerability, CVE-2025-32756. This critical flaw scored 9.8 out of 10 on the CVSS scale and lets remote attackers run arbitrary code without authentication. It turns out that several Fortinet products are at risk: FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Security experts have confirmed active exploitation of this CVE, though the true impact of these exploits remains unknown. This has become the eighteenth Fortinet vulnerability to make its way onto CISA’s Known Exploited Vulnerabilities list.

‍

Fortinet discloses CVE-2025-32756 affecting multiple products

Fortinet's security team revealed a critical stack-based buffer overflow vulnerability on May 13, 2025, labeled CVE-2025-32756. While you can read the NIST entry here, the TL;DR version is this:

• It has a CVSS score of 9.8.
• It affects several Fortinet products, including FortiVoice (6.4.0-6.4.10, 7.0.0-7.0.6, and 7.2.0), FortiMail (7.0.0-7.0.8, 7.2.0-7.2.7, 7.4.0-7.4.4, and 7.6.0-7.6.2), and numerous version ranges of FortiNDR, FortiRecorder, and FortiCamera systems.
• It allows attackers to remotely execute arbitrary code by sending specially-crafted HTTP requests

Fortinet's Product Security Team discovered the vulnerabilities when they noticed suspicious activities targeting FortiVoice systems. These activities included network scanning operations, system crashlog deletion, and enabling "fcgi debugging" to capture credentials from system and SSH login attempts.

Signs of compromise mainly show up as changed system files. One case, for example, showed attackers adding a malicious library (libfmlogin.so) that logged SSH credentials. The attackers also changed legitimate configuration files to load unauthorized modules and create backdoor access.

So far, the team has identified six IP addresses that threat actors used to exploit the zero-day vulnerabilities: 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

Security researchers at Horizon3.ai confirmed the vulnerability exists in the administrative API interface, allowing for data exports, administrative privileges, and other attacks. As Akamai explains, “Failing to address API vulnerabilities can result in severe consequences, such as data breaches that expose sensitive information like personally identifiable information (PII) and financial data.“

‍

Fortinet urges immediate patching and mitigation

Fortunately, Fortinet has already released a security patch for the stack overflow vulnerability. They’ve also released other mitigation strategies:

• Block the known IP addresses used in the attacks
• Update and upgrade your software (a complete list of appropriate upgrades can be found here)
• For temporary solutions, disable HTTP/HTTPS administrative Interfaces
• Check to see if fcgi debugging has been enabled by running diag debug application fcgi in the CLI. A compromised system might show "general to-file ENABLED" in the output.

The security advisory stresses that networks face high risks without quick patches. Threat actors actively scan for vulnerable systems, making delays in fixes dangerous.

‍

Conclusion

Security experts found CVE-2025-32756, which is without doubt one of the most severe security threats that Fortinet users face today. The vulnerability has a critical CVSS score of 9.8 and attackers are already exploiting it. Users of FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera systems face immediate risk, as attackers are actively targeting vulnerable systems.

CISA added this vulnerability to its Known Exploited Vulnerabilities catalog quickly to stress the need for immediate action. Organizations need to patch affected systems based on Fortinet's guidance right away. If immediate patching isn't possible, they should disable HTTP/HTTPS administrative interfaces as a temporary fix.

The whole ordeal expresses a worrying pattern, as this is the eighteenth Fortinet vulnerability in CISA's KEV catalog. Security teams must watch for compromise signs carefully, especially when they have unauthorized system changes and suspicious activities from the six identified attacker IP addresses. This critical vulnerability reminds us that network security infrastructure can become an attack vector if we don't update it against new threats quickly.