Fortinet, Ivanti, SAP release urgent patches for critical security vulnerabilities
Cybersecurity and software companies Fortinet, Ivanti, and SAP have all dropped patches to address critical security flaws in their products that could result in an authentication bypass and code execution if successfully exploited.
The Fortinet vulnerabilities affect products such as FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. The critical flaws are tracked as CVE-2025-59718 and CVE-2025-59719, and are related to a case of improper verification of a cryptographic signature.
The CVSS scores (numerical ratings from 0 to 10, assessing the severity of IT vulnerabilities) of these are 9.8. This means the flaws are truly critical.
“An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in an advisory.
SAML, or Security Assertion Markup Language, is a standardized method for verifying the identity of users to external applications and services.
To temporarily protect their systems against attacks exploiting these vulnerabilities, organizations are advised to disable the FortiCloud SSO login feature until it can be updated.
However, the good news is that the feature is not actually enabled in the default factory settings and only works when an administrator registers the device to FortiCare.
Ivanti has also released updates to address four security flaws in Endpoint Manager, one of which is a critical severity bug in the EPM core and remorse consoles. The vulnerability, tracked as CVE-2025-10573, carries a CVSS score of 9.6.
“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session,” said Ivanti in a security advisory.
Douglas McKee, director of vulnerability intelligence at cybersecurity company Rapid7, who discovered the vulnerability, said in a statement that CVE-2025-10573 represents a serious risk as it’s trivial to exploit and can be done so by sending a fake device report to the server using a basic file format.
“While the attack only fully executes when an administrator views the dashboard, this is a routine and necessary task for IT staff. Consequently, the likelihood of triggering the exploit during normal operations is high, ultimately allowing the attacker to take control of the administrator’s session,” said McKee.
Ivanti points out, though, that user interaction is required to exploit the flaw, and that it’s not actually aware of any attacks in the wild.
Lastly, SAP, a German software company, has also shipped December security updates to address 14 vulnerabilities across multiple products, including three critical-severity flaws, CVE-2025-42880, CVE-2025-55754, and CVE-2025-42928.
Boston-based SAP security platform Onapsis, which reported the flaws, stated that it identified a remote-enabled function module in SAP Solution Manager that allows an authenticated attacker to inject arbitrary code.
Unlock more exclusive Cybernews content on YouTube.
