Fortinet fixes critical zero-day exploited in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera attacks
Fortinet fixes critical zero-day exploited in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera attacks
Fortinet fixes critical zero-day exploited in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera attacks
Information:
Fortinet is a leading cybersecurity company that protects organizations, service providers, and large government agencies worldwide from cyber threats. Fortinet empowers customers with deep threat intelligence and enables them to build intelligent defenses that keep their businesses running smoothly. To meet the ever-increasing demands for performance in today's and tomorrow's borderless networks, Fortinet's innovative Security Fabric architecture offers unparalleled security capabilities that can withstand any threat, whether it's in the network, applications, cloud, mobile, or IoT.
Incident :
Fortinet released security updates to patch a critical remote code execution zero-day in attacks targeting FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera enterprise phone systems. The security flaw is a stack-based overflow vulnerability.
Fortinet's Product Security Team discovered CVE-2025-32756 based on attackers' activity, including network scans, system crashlogs deletion to cover their tracks, and 'fcgi debugging' being toggled on to log credentials from the system or SSH login attempts. successful exploitation can allow remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted HTTP requests.
The following log entries are possible IoCs (Indicators of compromise) The Threat Actor (TA) has been seen using the following IP addresses
- 198.105.127.124
- 43.228.217.173
- 43.228.217.82
- 156.236.76.90
- 218.187.69.244
- 218.187.69.59
While investigating these attacks, Fortinet has observed the threat actors deploying malware on hacked devices, adding cron jobs designed to harvest credentials, and dropping scripts to scan the victims' networks.
How to identify files that have been modified, either by legitimate users or potentially by a Threat Actor (TA) :
To verify if fcgi debugging is enabled on your system, use the following CLI command: diag debug application fcgi
If the output shows "general to-file ENABLED", it means fcgi debugging is enabled on your system:
fcgi debug level is 0x80041
general to-file ENABLED
This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise
Solution :
Upgrade Version or customers who can't immediately install today's security updates, which requires them to disable HTTP/HTTPS administrative interface on vulnerable devices.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://fortiguard.fortinet.com/psirt/FG-IR-25-254
- https://nvd.nist.gov/vuln/detail/CVE-2025-32756
- https://www.cve.org/CVERecord?id=CVE-2025-32756
- https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/
- https://app.opencve.io/cve/CVE-2025-32756
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-20188 |
7/5/2025 |
8/5/2025 |
Catalyst 9800 Series Wireless Controllers on Cisco IOS XE |
Use of Hard-coded Credentials |
10.0 |
This vulnerability exists in the Out-of-Band AP Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) and could allow an unauthenticated attacker to remotely upload AP firmware image files. |
Temporarily disable the Out-of-Band AP Image Download feature and switch to using the CAPWAP protocol for AP firmware image updates instead. |
|
| 2 |
CVE-2025-45491 |
6/5/2025 |
7/5/2025 |
Linksys E5600 v1.1.0.26 |
OS Command Injection |
9.8 |
Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the username parameter. |
Disable the use of DDNS via DynDNS by switching to a different DDNS provider, restrict external access to the router, and update the firmware as soon as a patch becomes available. |
|
| 3 |
CVE-2025-4096 |
5/5/2025 |
6/5/2025 |
Google Chrome |
Heap-based Buffer Overflow |
8.8 |
Heap buffer overflow in HTML in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
It is recommended to update Google Chrome to version 136.0.7103.59 or later, as this version includes a fix for the reported vulnerability. |
https://www.cvedetails.com/cve/CVE-2025-4096/
|
| 4 |
CVE-2025-46635 |
1/5/2025 |
2/5/2025 |
Tenda RX2 Pro |
Improper Access Control |
7.1 |
An issue was discovered on Tenda RX2 Pro 16.03.30.14 devices. Improper network isolation between the guest Wi-Fi network and other network interfaces on the router allows an attacker (who is authenticated to the guest Wi-Fi) to access resources on the router and/or resources and devices on other networks hosted by the router by configuring a static IP address (within the non-guest subnet) on their host. |
Consider disabling the Guest Wi-Fi network if it is not necessary, and check whether the router's firmware has been updated to the latest version. If not, it is strongly recommended to update the firmware immediately. |
|
| 5 |
CVE-2025-22247 |
12/5/2025 |
12/5/2025 |
VMware vSphere ESXi |
Improper Link Resolution Before File Access |
6.1 |
VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM. |
It is recommended to update Linux and Windows operating systems to version 12.5.2. macOS is currently not affected by this vulnerability. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683 |
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683
|
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Russia-linked ColdRiver used LostKeys malware in recent attacks |
09/05/2025 |
Phishing, Malware |
Cybersecurity researchers have identified a hacker group linked to the Russian government, known as “COLDRIVER” — also referred to as Star Blizzard, Callisto, and UNC4057 — which has deployed a new type of malware called LOSTKEYS. This malware is used for cyber-espionage operations targeting government agencies, media organizations, NGOs, and defense-related entities in Europe and North America.The attack begins by luring victims to a fake website that displays a fraudulent CAPTCHA, instructing users to manually copy and paste a PowerShell command — a tactic known as “ClickFix” — to bypass traditional antivirus detection.Once the command is executed, the system downloads and installs the malware in multiple stages. It first checks the environment to avoid running in virtual machines (VMs), then proceeds to install LOSTKEYS, which is capable of stealing sensitive documents and system data, sending it back to the attackers' servers.LOSTKEYS is designed to identify and exfiltrate specific files, such as official documents, account credentials, and system intelligence. It also collects information on running processes and the overall system status. |
|
27 May 2025
Viewed 75 time
