Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address several critical security vulnerabilities that could result in improper code extraction and information disclosure.
The security flaw patched by Fortinet is related to a command injection vulnerability in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It is followed by CVE-2026-25089 (CVSS score: 9.1).
“Improper neutralization of special objects used in the OS is a command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI could allow an unauthorized attacker to issue unauthorized commands using specially crafted HTTP requests,” Fortinet said.
The issue affects the following products and versions –
- FortiSandbox 5.0.0 to 5.0.5 (Upgrade to 5.0.6 or higher)
- FortiSandbox 4.4.0 to 4.4.8 (Upgrade to 4.4.9 or higher)
- FortiSandbox Cloud 5.0.4 to 5.0.5 (Upgrade to 5.0.6 or higher)
- FortiSandbox PaaS 5.0.4 to 5.0.5 (Upgrade to 5.0.6 or higher)
On Tuesday, Ivanti also published fixes for two critical security flaws affecting Ivanti Sentry (formerly MobileIron Sentry) –
- CVE-2026-10520 (CVSS Score: 10.0) – An operating system injection vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows an unauthorized remote user to access remote code execution.
- CVE-2026-10523 (CVSS Score: 9.9) – An authentication bypass vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 allows an unauthorized remote attacker to create arbitrary administrative accounts and gain full administrative access.
watchTowr Labs, which published more details of CVE-2026-10520, said that an attacker can exploit the vulnerability by issuing a specially crafted HTTP request to the endpoint “/mics/api/v2/sentry/mics-config/handleMessage”, which is also interpreted as MICS configuration compuration by (backend compuration) named backend ecute command and ehandle .
The patch posted by Ivanti includes additional controls that block access to the vulnerable site, causing unauthorized requests to be redirected to the login page.
“Ivanti has not only removed the control of attackers from the path of killing vulnerable people,” said security researcher Sonny Macdonald. “They also added a layer of protection in front of it to make access to the end more difficult. In other words: they added authenticity.”
Completing the list of updates is SAP, which released fixes for four critical vulnerabilities in NetWeaver AS ABAP and ABAP Platform, as well as SAP Commerce Cloud and SAP Data Hub –
- CVE-2026-44748 (CVSS score: 9.9) – XML signature blocking vulnerability in SAML authentication in SAP NetWeaver AS ABAP and ABAP Platform
- CVE-2026-27671 (CVSS Score: 9.8) – Memory corruption vulnerability in Application Server ABAP for SAP NetWeaver and ABAP Platform
- CVE-2026-22732 (CVSS score: 9.1) – Potential spring security vulnerability within SAP Commerce Cloud and SAP Data Hub
- CVE-2026-40128 (CVSS Score: 9.0) – Directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
“The application allows an authorized attacker with normal privileges to obtain a valid signed message and send modified XML documents with spoofed identity information to the authenticator,” said SAP security firm Onapsis.
“Due to improper validation of the XML signature, forgotten identity information is accepted, resulting in unauthorized access to sensitive user data and possible disruption of normal system operation.”
As for CVE-2026-27671, the flaw allows an unauthorized attacker to send a crafted RFC request that uses how the SAP kernel validates the RFC protocol to achieve memory corruption.
There is no evidence that any of the flaws mentioned above have been exploited in the wild. However, it is always a safe practice to update to the latest version for full protection.
