Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed

[Update] June 10, 2025: New PoC Exploit Released for CVE-2025-32756

Fortinet and Ivanti have each released critical security advisories addressing multiple high-impact vulnerabilities, several of which have been actively exploited in zero-day attacks. These flaws affect a wide range of enterprise systems, from VoIP and mail platforms to IT service management and endpoint management solutions.

Fortinet: CVE-2025-32756 Zero-Day Exploited in the Wild

Fortinet has issued emergency patches to resolve a severe remote code execution (RCE) vulnerability, CVE-2025-32756, affecting FortiVoice Enterprise phone systems. The flaw is a stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted HTTP requests.

The vulnerability also impacts several other Fortinet products, including:

• FortiMail
• FortiNDR
• FortiRecorder
• FortiCamera

Fortinet’s Product Security Team uncovered the flaw after identifying unusual attacker behaviors, including network scans, deletion of system crash logs, and the use of the fcgi debugging feature to capture system and SSH credentials.

Indicators of Compromise (IOCs):

• ‘fcgi debugging’ enabled (disabled by default)
• Suspicious IPs used in attacks:
  • 198.105.127[.]124
  • 43.228.217[.]173
  • 43.228.217[.]82
  • 156.236.76[.]90
  • 218.187.69[.]244
  • 218.187.69[.]59

Attackers have been observed deploying malware, installing cron jobs for credential theft, and running scripts to scan internal networks. For customers unable to patch immediately, Fortinet recommends disabling the HTTP/HTTPS admin interface as a mitigation step.

This follows a wave of exploitation activity last month, when over 16,000 Fortinet devices were found compromised via a symlink backdoor previously addressed by patches.

New PoC Exploit Released for CVE-2025-32756

Security researchers have released a new Proof-of-Concept (PoC) exploit targeting the critical CVE-2025-32756 vulnerability in Fortinet products.

This flaw lies in how the /remote/hostcheck_validate endpoint processes the AuthHash cookie, specifically due to insufficient bounds checking. As a result, an unauthenticated attacker can achieve RCE.

The exploit code, implemented in Python and shared publicly on GitHub, shows how an attacker can craft malicious HTTP POST requests to overflow the buffer in the enc parameter, potentially gaining complete control over the affected system.

Ivanti Neurons for ITSM: Authentication Bypass Vulnerability (CVE-2025-22462)

Ivanti has patched a critical authentication bypass vulnerability, CVE-2025-22462, in its Neurons for ITSM on-premise IT service management solution. This flaw could allow unauthenticated attackers to gain administrative access in low-complexity attack scenarios.

Affected versions:

• 2023.4
• 2024.2
• 2024.3

Patched versions:

• May 2025 Security Patches for all affected versions

Ivanti confirmed that customers who followed prior security hardening guidance, such as restricting access via IIS settings and implementing DMZ configurations, are less exposed to this threat. The company has found no signs of exploitation in the wild so far.

Ivanti Endpoint Manager Mobile (EPMM): Zero-Day RCE Chain (CVE-2025-4427 & CVE-2025-4428)

In a separate advisory, Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) that have been exploited in a limited number of attacks:

• CVE-2025-4427: Authentication bypass in the EPMM API
• CVE-2025-4428: Remote code execution via crafted API requests

When chained, these vulnerabilities can allow unauthenticated attackers to execute arbitrary code on exposed systems.

Mitigated in:

• EPMM 11.12.0.5
• EPMM 12.3.0.2
• EPMM 12.4.0.2
• EPMM 12.5.0.1

While the full extent of exploitation is still being assessed, Ivanti is urging all on-prem EPMM customers to update immediately. These issues do not affect cloud-based Neurons for MDM, Ivanti Sentry, or other Ivanti solutions.

Ivanti also noted that the vulnerabilities are linked to open-source libraries used by EPMM but did not disclose further details. According to the Shadowserver Foundation, hundreds of EPMM instances remain exposed online, with the highest numbers in Germany and the United States.

Update: Active Exploitation of Ivanti EPMM Vulnerabilities by China-Nexus Threat Actor

Security researchers have confirmed active exploitation of a critical Ivanti Endpoint Manager Mobile (EPMM) vulnerability chain targeting internet-facing instances. The attacks, attributed to a China-nexus group (UNC5221), have affected organizations across healthcare, government, finance, defense, and other critical sectors globally.

Attackers are leveraging unauthenticated remote code execution through API misuse, deploying custom malware like KrustyLoader and Sliver backdoors to establish persistent access. Post-compromise activity includes data exfiltration from managed mobile devices, credential theft, and use of hardcoded database credentials for deeper network access.

Researchers observed use of open-source tools like FRP for lateral movement and infrastructure reuse linking this campaign to earlier espionage operations.

Detection guide is available via a Sigma rule to help identify suspicious HTTP requests exploiting this attack path.

Once again, Ivanti has issued patches, and immediate mitigation is strongly recommended for all on-prem EPMM deployments.

In Conclusion

These disclosures from Fortinet and Ivanti highlight an ongoing trend of attackers exploiting enterprise software flaws to gain deep access into critical systems. While Ivanti’s vulnerabilities have seen limited exploitation so far, Fortinet’s zero-day RCE flaw has already been actively weaponized.

Organizations using any of the affected products should prioritize patching and consider implementing available mitigations if immediate updates are not possible. Continuous monitoring and strict access controls remain key components of defense against evolving threat activity.

Stay one step ahead by managing what’s visible to threat actors. SOCRadar’s Attack Surface Management (ASM) module continuously maps your digital footprint, helping you find and fix weaknesses before they are exploited.

• Discover internet-facing assets, forgotten subdomains, and misconfigured services
• Monitor third-party risks and shadow IT
• Detect impersonating domains and exposed ports