Fortinet has rolled out urgent security updates to fix 12 vulnerabilities, including a critical zero-day that has already been weaponized against its FortiVoice appliances. The flaw, tracked as CVE-2025-32756, carries a CVSS score of 9.6 and allows unauthenticated attackers to run arbitrary commands remotely via specially crafted HTTP requests.
According to Fortinet, this vulnerability has been exploited in the wild specifically against FortiVoice, its enterprise VoIP phone system. Attackers reportedly scanned local device networks, deleted crash logs to cover tracks, and enabled FastCGI debugging—potentially logging credentials and SSH logins in the process.
Though the attacks targeted FortiVoice, the zero-day also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Fortinet has issued patches for all five products and shared indicators of compromise (IoCs) to help organizations assess potential breaches. As an immediate mitigation step, the company advises disabling the HTTP/HTTPS admin interface.
In addition to the zero-day, Fortinet has patched CVE-2025-22252, a critical flaw with a CVSS score of 9.0, found in FortiOS, FortiProxy, and FortiSwitchManager. This bug stems from missing authentication checks for critical functions and could let attackers bypass TACACS+ login protections under specific conditions. It impacts only systems using remote TACACS+ servers with ASCII authentication enabled—configurations using PAP, MSCHAP, or CHAP are unaffected.
Another high-severity issue—CVE-2025-25251—was fixed in FortiClient for macOS. This vulnerability could allow local privilege escalation via crafted XPC messages.
Fortinet also issued updates for several medium- and low-severity flaws across products including FortiClient, FortiOS Security Fabric, FortiManager, FortiVoiceUC, and FortiPortal. Additionally, it revised four previous advisories to include more affected products. Three involve OpenSSH, addressing risks from last year’s Terrapin and regreSSHion attacks.
To stay secure, Fortinet urges all customers to apply the latest patches immediately. More technical details and updated advisories are available on Fortinet’s official PSIRT page.
