Fortinet on Tuesday announced patches for a dozen vulnerabilities across its product portfolio, including a critical zero-day bug exploited in the wild against FortiVoice phone system appliances.

The exploited flaw, tracked as CVE-2025-32756 (CVSS score of 9.6), is described as a stack-based overflow defect that allows unauthenticated, remote attackers to execute arbitrary code or commands using crafted HTTP requests.

“Fortinet has observed this to be exploited in the wild on FortiVoice,” the company notes in its advisory.

As part of the observed attacks, threat actors scanned the device network, erased system crashlogs, and then enabled fcgi debugging to log system credentials and SSH logins.

Fortinet has shared indicators of compromise (IoCs) to help customers hunt for potential breaches and proposes disabling the HTTP/HTTPS administrative interface as a workaround.

Although exploited only against FortiVoice instances, CVE-2025-32756 also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera, and security updates were released for all five products.

On Tuesday, Fortinet also released patches for a critical flaw in FortiOS, FortiProxy, and FortiSwitchManager. Tracked as CVE-2025-22252 (CVSS score of 9.0) and described as a missing authentication for critical function defect, it could lead to TACACS+ authentication bypass.

It only affects instances that have “TACACS+ configured to use a remote TACACS+ server for authentication, that has itself been configured to use ASCII authentication”. An attacker could target an existing administrative account to access the device with admin privileges.