(TLP:CLEAR) Critical Zero Day Vulnerabilities in Fortinet and Ivanti Impact a Range of Products and Services

Summary: On Tuesday, Ivanti and Fortinet both released security advisories for critical zero day vulnerabilities affecting a range of products and urged customers to apply fixes as soon as possible.

Fortinet released an advisory regarding CVE-2025-32756 (CVSS 9.8), a stack-based overflow vulnerability that affects FortiVoice, FortiMakil, FortiNDR, FortiRecorder, and FortiCamera. If exploited, a remote unauthenticated attacker could execute arbitrary code or commands via crafted HTTP requests. Additionally, Fortinet has reported that they have observed exploitation of this vulnerability in the wild on FortiVoice.

Ivanti announced security patches for two zero days affecting Endpoint Manager Mobile (EPMM). One of them, tracked as CVE-2025-4427 is an authentication bypass vulnerability allowing threat actors to access protected resources without credentials. The second flaw, CVE-2025-4428, is a remote code execution issue that allows unauthenticated attackers to execute arbitrary code. Both vulnerabilities can be chained together to achieve unauthenticated remote code execution.

Analyst Note: WaterISAC recommends members promptly follow the guidance put out by both Fortinet and Ivanti to update affected products and utilize workarounds where applicable.

Additional Reading:

• Fortinet fixes critical zero-day exploited in FortiVoice attacks
• Ivanti fixes EPMM zero-days chained in code execution attacks

Mitigation Recommendations:

• Fortinet – Stack-based buffer overflow vulnerability in API
• Ivanti – Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)

Related WaterISAC PIRs: 6, 8, 12