Fortinet, Ivanti and SAP patch critical RCE and auth flaws

Fortinet, Ivanti and SAP issued security updates Tuesday to fix multiple critical vulnerabilities that can enable remote code execution and authentication bypass.

Fortinet patched a command-injection flaw in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS web interfaces that allows unauthenticated attackers to run operating-system commands via crafted HTTP requests. The issue is tracked as CVE-2026-25089 with a CVSS score of 9.1. Affected FortiSandbox releases include 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. Fortinet advised customers to upgrade to 5.0.6 or 4.4.9 or later.

Ivanti published fixes for two critical Ivanti Sentry vulnerabilities. CVE-2026-10520, rated 10.0, is an operating-system command injection that can allow unauthenticated remote root-level code execution in releases before R10.5.2, R10.6.2 and R10.7.1. CVE-2026-10523, rated 9.9, is an authentication bypass that can enable an attacker to create arbitrary administrative accounts and obtain full administrative access. Security firm watchTowr Labs described an exploit path that targets the /mics/api/v2/sentry/mics-config/handleMessage endpoint; a specially crafted HTTP request to that endpoint is treated as a management command and executed by a backend component named handleExecute(). Ivanti’s patch removes the vulnerable execution path and blocks direct access to the endpoint, redirecting unauthenticated requests to the login page. Security researcher Sonny Macdonald praised the update for removing the execution path and adding authentication protections in front of the endpoint.

SAP released patches for four high-severity defects affecting NetWeaver AS ABAP and ABAP Platform, SAP Commerce Cloud, SAP Data Hub and the NetWeaver Application Server Java web container. The fixes include CVE-2026-44748, an XML signature-wrapping vulnerability in SAML authentication with a CVSS score of 9.9 that can let an authenticated low-privilege user submit modified signed XML and alter identity information; CVE-2026-27671, a memory-corruption issue in the Application Server ABAP kernel triggered by crafted RFC requests (CVSS 9.8); CVE-2026-22732, a potential Spring security weakness in Commerce Cloud and Data Hub (CVSS 9.1); and CVE-2026-40128, a directory traversal flaw in the AS Java web container (CVSS 9.0). Security company Onapsis warned that improper XML signature verification can allow unauthorized access to sensitive user data and disrupt normal system use.

Vendors report no evidence that these specific vulnerabilities have been exploited in the wild. Fortinet, Ivanti and SAP recommend applying the provided updates immediately. Fortinet customers should upgrade FortiSandbox to 5.0.6 or 4.4.9 or later, Ivanti customers should move to the published R10.5.2, R10.6.2 or R10.7.1 releases as appropriate, and SAP customers should install the vendor’s security notes and patches for the listed components.

Vendors also advise restricting external access to management endpoints. The updates remove vulnerable execution paths and add controls to block unauthenticated requests to sensitive interfaces.