Fortinet seals several flaws, attacks on FortiVoice observed
Fortinet reported an actively attacked vulnerability in FortiVoice. Updates also seal numerous other gaps.
Emergency in the data center
(Image: vchal/Shutterstock.com)
There are security vulnerabilities in various Fortinet products, for which the company is now offering updates to close them. One vulnerability in FortiVoice is already under attack in the wild. Admins should therefore install the updates quickly.
The most serious vulnerability affects FortiCamera, FortiMail, FortiNDR, FortiRecorder and FortiVoice. Attackers can use manipulated HTTP requests to provoke a stack-based buffer overflow that leads to the execution of arbitrary code or commands. According to the security announcement, Fortinet has already observed such attacks on FortiVoice devices.
In the attacks, the malicious actors first scanned the device network, then deleted system crash reports and enabled "fcgi debugging" to log system credentials or SSH log-in attempts. At the end of the security notice, Fortinet lists several indicators of compromise (IOCs).
Bug-fixed versions
Fortinet is already providing updates that close the gap. However, some older versions need to be updated to a supported version. FortiCamera 2.1.4, FortiMAil 7.6.3, 7.4.5, 7.2.8 and 7.0.9, FortiNDR 7.4.8, 7.2.5 and 7.0.7, FortiRecorder 7.2.4, 7.0.6 and 6.4.6 as well as FortiVoice 7.2.1, 7.0.7 and 6.4.11 or newer versions plug the security leak.
Videos by heise
On Tuesday, Fortinet published further security updates for various products. Admins should check whether the Fortinet appliances and systems they use are affected and install the available updates if necessary:
- TACACS+ authentication Bypass, CVE-2025-22252, CVSS 9.0, risk "critical"
- Local privilege escalation in XPC Services, CVE-2025-25251, CVSS 7.4, risk "high"
- Path traversal in upload message, CVE-2025-22859, CVSS 5.0, risk "medium"
- Denial of Service in Security Fabric Root, CVE-2025-47294, CVSS 4.8, risk "medium"
- Index of FCT installation directory publicly accessible, CVE-2025-24473, CVSS 4.8, risk "medium"
- Buffer over-read in FGFM, CVE-2025-47295, CVSS 3.4, risk "low"
- Code execution due to Node.JS Environment Variable, CVE-2024-35281, CVSS 2.3, risk "low"
- Insertion of sensitive information into system log, CVE-2025-46777, CVSS 2.2, risk "low"
- Unauthorized modification of global threat feeds, CVE-2024-54020, CVSS 2.1, risk "low"
In mid-April, Fortinet reported on how attackers were infiltrating the manufacturer's firewalls and achieving persistence. At that time, IT security researchers had detected more than 14,000 compromised Fortinet firewalls worldwide.
(dmk)
