Exploitation of New Fortinet and Ivanti Zero-Day Vulnerabilities Detected in the Wild

Fortinet and Ivanti have issued urgent alerts regarding the exploitation of new zero-day vulnerabilities affecting a variety of their products. On May 13, the companies released separate advisories, highlighting a critical flaw that necessitates immediate attention and remedial action from customers.

Fortinet identified a stack-based buffer overflow vulnerability, designated CVE-2025-32756, which poses a significant risk. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code or commands by sending specially crafted HTTP requests. The flaw has been assigned a critical CVSS score of 9.6.

The impacted Fortinet products include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Recent activities indicate that this vulnerability is currently being exploited in the wild, particularly on FortiVoice systems. Observations from Fortinet indicate that threat actors can perform multiple malicious operations on compromised devices, including:

– Scanning the device network
– Erasing system crash logs
– Enabling FCGI debugging to capture credentials from the system or SSH login attempts.

Specific details regarding the identity of the perpetrator remain undisclosed. In response, Fortinet has provided indicators of compromise (IOCs) for customers to detect potential exploitation. To verify if FCGI debugging is active, customers can use the command diag debug application fcgi in the CLI. If the command returns “general to-file ENABLED,” it indicates that FCGI debugging is enabled.

Fortinet has released a patch for this vulnerability, urging customers to update their systems promptly. As an interim measure, organizations may consider disabling the HTTP/HTTPS administrative interface.

Alongside Fortinet’s announcement, Ivanti revealed details concerning two significant vulnerabilities identified in its products: one categorized as medium severity (CVE-2025-4427) and another as high severity (CVE-2025-4428). Both vulnerabilities impact Ivanti Endpoint Manager and two associated open-source libraries. Ivanti is collaborating with the maintainers of these libraries to ascertain the necessity of a CVE designation, which would benefit the broader cybersecurity community.

Ivanti has communicated that successful exploitation of these vulnerabilities, when chained together, could lead to unauthenticated remote code execution. The company acknowledged a limited number of customers whose solutions were reportedly compromised at the time of this disclosure. A fixed version of the product is available, and customers are advised to implement it as soon as possible. Potential workarounds to mitigate the risk include filtering access to the API via built-in Portal ACLs functionality or utilizing an external Web Application Firewall (WAF).

During a recent conference, the Chief Technology Officer of the National Cyber Security Centre (NCSC), Ollie Whitehouse, emphasized the pressing need for accountability among software vendors in addressing security flaws. He argued that the current market fails to reward companies that invest in secure product design, leading to an alarming prevalence of vulnerabilities in essential network and security devices.

The UK government is actively pursuing initiatives to create incentives for enhanced security practices, thereby promoting greater awareness among consumers. As part of this effort, two new cybersecurity assessment programs were introduced to demonstrate the resilience of products and services within the market. One initiative, the Cyber Resilience Test Facilities (CTFR) program, aims to establish a network of trusted facilities that can independently audit the cybersecurity of technology vendors’ offerings in a structured and consistent manner.