A critical vulnerability in various Fortinet products allows remote attackers to execute arbitrary code via crafted HTTP requests. Observed exploitation on FortiVoice involved network scanning, erasing system logs, and enabling fcgi debugging to capture credentials. Affected products include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera across multiple versions. The threat actor used specific IP addresses and modified system files and settings. Indicators of compromise include added malicious files, modified cron jobs, and altered configuration files. Fortinet recommends upgrading to patched versions or disabling the HTTP/HTTPS administrative interface as a workaround.