Fortinet Releases Multiple Security Advisories

The security advisories address two critical vulnerabilities, of which one is reported as exploited

Threat ID:: CC-4657
Threat Severity:: Medium
Published:: 14 May 2025 3:45 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security advisories address two critical vulnerabilities, of which one is reported as exploited

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

7.6.0
7.4.4 through 7.4.6

Fortinet FortiProxy

7.6.0 through 7.6.1

Fortinet FortiSwitch Manager

7.2.5

FortiCamera / FortiRecorder

FortiCamera

all versions
2.0 all versions
2.1.0 through 2.1.3

FortiRecorder

6.4.0 through 6.4.5
7.0.0 through 7.0.5
7.2.0 through 7.2.3

FortiMail

7.0.0 through 7.0.8
7.2.0 through 7.2.7
7.4.0 through 7.4.4
7.6.0 through 7.6.2

FortiNDR

1.1 all versions
1.2 all versions
1.3 all versions
1.4 all versions
1.5 all versions
7.0.0 through 7.0.6
7.1 all versions
7.2.0 through 7.2.4
7.4.0 through 7.4.7
7.6.0

FortiVoice

6.4.0 through 6.4.10
7.0.0 through 7.0.6
7.2.0

Threat details

Exploitation of CVE-2025-32756

Fortinet has observed active exploitation of CVE-2025-32756 in the wild on FortiVoice. The NHS England National CSOC assesses further exploitation as likely.

Introduction

Fortinet has released security advisories to two critical vulnerabilities.

The security advisories address one critical vulnerability in in FortiOS, FortiProxy and FortiSwitchManager, and an exploited vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera.

Vulnerability Details

CVE-2025-32756 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 9.6. Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
CVE-2025-22252 is an 'authentication for critical function' vulnerability with a CVSSv3 score of 9.0 in FortiOS, FortiProxy, and FortiSwitchManager products that are configured to use TACACS+ with ASCII authentication. Successful exploitation could allow an attacker with limited privileges to bypass authentication and gain administrator access to the device.

Note: CVE-2025-22252 is limited to configurations where ASCII authentication is used. PAP, MSCHAP, and CHAP configurations are not impacted.

Remediation advice

Affected organisations are encouraged to review Fortinet's Security Advisories and apply the relevant updates as soon as practicable. These advisories are detailed below for clarity.

Remediation steps

Type	Step
Patch	FG-IR-24-472 \| FortiOS, FortiProxy and FortiSwitchManager https://www.fortiguard.com/psirt/FG-IR-24-472
Patch	FG-IR-25-254 \| FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera https://fortiguard.fortinet.com/psirt/FG-IR-25-254

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2025-22252

Status Published

CVE-2025-32756

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10, FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5, FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8, FortiNDR versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6, FortiCamera versions 2.1.0 through 2.1.3, 2.0 all versions, 1.1 all versions, allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

Last edited: 14 May 2025 3:45 pm