San Jose-based cybersecurity firm Fortinet has disclosed a critical security vulnerability in its enterprise-grade firewalls. This critical Remote Code Execution (RCE) vulnerability is currently being actively exploited in FortiVoice enterprise phone systems. The company recently released a security advisory (FG-IR-25-254) notifying users of the critical risk this vulnerability presents. Fortinet would still not disclose the magnitude of these attacks, or the actors behind the attacks themselves. It’s equally important for users to proactively put the patch into action now to safeguard their systems against this vulnerability.
The vulnerability does not just impact FortiVoice, but has been identified to impact other Fortinet products such as FortiMail, FortiNDR, FortiRecorder and FortiCamera. The vulnerability lets a remote unauthenticated threat actor run arbitrary code or commands on the device by sending specially crafted HTTP requests. This scary new avenue of potential exploitation makes it even more critical for users to patch with the latest Fortinet-released patch.
Details of the Vulnerability
As noted in Fortinet’s advisory, the detected flaw is a stack-based overflow vulnerability classified under CWE-121. This kind of vulnerability is always especially dangerous as it allows attackers to remotely seize control of affected systems.
“A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests,” – Fortinet
The company said the vulnerability was associated with a critical security threat. This risk in particular affects FortiVoice systems, often the communication workhorses of enterprise-grade environments.
Urgent Call for Action
Fortinet advises that all users of the impacted software apply the patch without delay. This specific recommendation was made to address consistent and continued abuse of this loophole. In doing so, public and private organizations alike can significantly reduce their chances of succumbing to the upcoming attacks likely to leverage this newly discovered zero-day vulnerability.
Fortinet responded rapidly to address the threat, issuing a patch within days of discovery. They have not provided any further information on the breadth of the attacks or the profiles of individual threat actors. By not providing any context around their current vulnerabilities, it creates a world where users have no idea what their security posture is today.