On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

CVE-2025-32756 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV) on May 14, 2025.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

• FortiVoice 7.2 should be upgraded to 7.2.1 or above
• FortiVoice 7.0 should be upgraded to 7.0.7 or above
• FortiVoice 6.4 should be upgraded to 6.4.11 or above
  
• FortiRecorder 7.2 should be upgraded to 7.2.4 or above
• FortiRecorder 7.0 should be upgraded to 7.0.6 or above
• FortiRecorder 6.4 should be upgraded to 6.4.6 or above
  
• FortiNDR 7.6 should be upgraded to 7.6.1 or above
• FortiNDR 7.4 should be upgraded to 7.4.8 or above
• FortiNDR 7.2 should be upgraded to 7.2.5 or above
• FortiNDR 7.1 should be migrated to a fixed release
• FortiNDR 7.0 should be upgraded to 7.0.7 or above
• FortiNDR 1.5 should be migrated to a fixed release
• FortiNDR 1.4 should be migrated to a fixed release
• FortiNDR 1.3 should be migrated to a fixed release
• FortiNDR 1.2 should be migrated to a fixed release
• FortiNDR 1.1 should be migrated to a fixed release
  
• FortiMail 7.6 should be upgraded to 7.6.3 or above
• FortiMail 7.4 should be upgraded to 7.4.5 or above
• FortiMail 7.2 should be upgraded to 7.2.8 or above
• FortiMail 7.0 should be upgraded to 7.0.9 or above
  
• FortiCamera 2.1 should be upgraded to 2.1.4 or above
• FortiCamera 2.0 should be migrated to a fixed release
• FortiCamera 1.1 should be migrated to a fixed release
  

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can now assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check available in the May 14, 2025 content release (Nexpose Content 1.1.3561)

Updates

May 14, 2025: Updated to reflect InsightVM check was shipped on May 14, 2025. Added reference to the CISA KEV listing.

On March 24, 2025, Kubernetes disclosed 5 new vulnerabilities affecting the Ingress NGINX Controller for Kubernetes. Successful exploitation could allow attackers access to all secrets stored across all namespaces in the Kubernetes cluster, which could result in cluster takeover.

• CVE-2025-1974 (9.8 Critical): RCE escalation. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (In the default installation, the controller can access all Secrets cluster-wide.)
• CVE-2025-24514 (8.8 High): Configuration injection via unsanitized auth-url annotation. In ingress-nginx, the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-1097 (8.8 High): Configuration injection via unsanitized auth-tls-match-cn annotation. The `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-1098 (8.8 High): Configuration injection via unsanitized mirror annotations. The `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
• CVE-2025-24513 (4.8 Medium): Auth secret file path traversal vulnerability. Attacker-provided data is included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Of the 5 vulnerabilities disclosed, any one of the injection vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098) may be chained with CVE-2025-1974 to achieve unauthenticated RCE on the Kubernetes pod that is running a vulnerable Ingress NGINX Controller. Achieving RCE could allow an attacker to take over a Kubernetes cluster. As of March 25, 2025, none of the above CVEs is known to be exploited in the wild.

Ingress is a Kubernetes feature to route HTTP(S) traffic into a Kubernetes cluster. An Ingress Controller is an application responsible for performing the routing. While there are many Ingress Controllers available, the vulnerabilities disclosed on March 24 are specific to the Ingress NGINX Controller, which is an Ingress Controller based upon NGINX.

The original finders of all five vulnerabilities, Wiz, noted that 43% of cloud environments are vulnerable to the issues disclosed, and that they have identified 6,500 clusters with publicly exposed Ingress NGINX Controllers.

As of March 25, 2025 (14:00 pm GMT), there is now one known publicly available RCE exploit for CVE-2025-1974 (here). This exploit is unverified, but based on our understanding of the vulnerability, it appears viable.

Mitigation guidance

All 5 vulnerabilities are reported to affect the following versions of Ingress NGINX Controller:

• Versions <= 1.11.4
• Version 1.12.0

Notably, the Wiz advisory says that CVE-2025-24514 does not affect version 1.12.0, but the vendor indicates that the issue does affect 1.12.0.

Customers who use the Ingress NGINX Controller for Kubernetes are advised to update to the following versions immediately:

• Version 1.11.5
• Version 1.12.1

Rapid7 customers

With the latest Kubernetes Cluster Scanner (available as of Wednesday, March 26), InsightCloudSec customers can discover Kubernetes workloads that have this vulnerability in their cluster. The discovery will be shown via the insights pack with a new insight called Publicly exposed vulnerable Ingress NGINX Admission. The insight will also include remediation steps.

InsightVM and Nexpose customers can assess their exposure to CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 on Unix-based systems with authenticated checks available in the March 26 content release.