Fortinet on Tuesday announced patches for a dozen vulnerabilities across its product portfolio, including a critical zero-day bug exploited in the wild against FortiVoice phone system appliances.
The exploited flaw, tracked as CVE-2025-32756 (CVSS score of 9.6), is described as a stack-based overflow defect that allows unauthenticated, remote attackers to execute arbitrary code or commands using crafted HTTP requests.
“Fortinet has observed this to be exploited in the wild on FortiVoice,” the company notes in its advisory.
As part of the observed attacks, threat actors scanned the device network, erased system crashlogs, and then enabled fcgi debugging to log system credentials and SSH logins.
Fortinet has shared indicators of compromise (IoCs) to help customers hunt for potential breaches and proposes disabling the HTTP/HTTPS administrative interface as a workaround.
Although exploited only against FortiVoice instances, CVE-2025-32756 also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera, and security updates were released for all five products.
On Tuesday, Fortinet also released patches for a critical flaw in FortiOS, FortiProxy, and FortiSwitchManager. Tracked as CVE-2025-22252 (CVSS score of 9.0) and described as a missing authentication for critical function defect, it could lead to TACACS+ authentication bypass.
It only affects instances that have “TACACS+ configured to use a remote TACACS+ server for authentication, that has itself been configured to use ASCII authentication”. An attacker could target an existing administrative account to access the device with admin privileges.
“This vulnerability is limited to configurations where ASCII authentication is used. PAP, MSCHAP, and CHAP configurations are not impacted,” Fortinet notes.
The company also resolved a high-severity incorrect authorization issue in FortiClient for macOS (CVE-2025-25251) that could allow a local attacker to elevate their privileges using crafted XPC messages.
Patches were also released for multiple medium- and low-severity flaws in FortiClient, FortiOS Security Fabric, FortiManager, FortiOS, FortiVoiceUC, and FortiPortal.
Additionally, the company has updated the advisories for four bugs to include additional affected products. Three of these impact OpenSSH and two resolve the Terrapin and regreSSHion attacks disclosed last year.
Fortinet customers are advised to apply the newly released patches as soon as possible. Additional information can be found on Fortinet’s PSIRT advisories page.
Related: Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit
Related: Fortinet Patches Critical FortiSwitch Vulnerability
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
Related: Fortinet Patches 18 Vulnerabilities