Leading technology firms Ivanti, Fortinet, and SAP have recently issued critical security patches to address multiple vulnerabilities that could potentially allow unauthorized code execution and data breaches.
Fortinet’s FortiSandbox Vulnerability
Fortinet has identified a significant command injection flaw in its FortiSandbox product line, including FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. This vulnerability, designated as CVE-2026-25089 with a CVSS score of 9.1, could enable unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests. Affected versions include:
- FortiSandbox 5.0.0 through 5.0.5 (users should upgrade to 5.0.6 or later)
- FortiSandbox 4.4.0 through 4.4.8 (upgrade to 4.4.9 or later)
- FortiSandbox Cloud 5.0.4 through 5.0.5 (upgrade to 5.0.6 or later)
- FortiSandbox PaaS 5.0.4 through 5.0.5 (upgrade to 5.0.6 or later)
Ivanti’s Sentry Vulnerabilities
Ivanti has released patches for two critical vulnerabilities in its Sentry product, formerly known as MobileIron Sentry. The vulnerabilities are:
- CVE-2026-10520 (CVSS score: 10.0): An operating system command injection vulnerability present in versions prior to R10.5.2, R10.6.2, and R10.7.1, allowing remote unauthenticated users to achieve root-level remote code execution.
- CVE-2026-10523 (CVSS score: 9.9): An authentication bypass vulnerability in the same versions, enabling remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative access.
Security researchers have detailed that attackers could exploit CVE-2026-10520 by sending specially crafted HTTP requests to specific endpoints, leading to unauthorized command execution. Ivanti’s patches not only remove attacker control over the vulnerable execution path but also add authentication layers to make reaching the endpoint significantly more difficult.
SAP’s Critical Vulnerabilities
SAP has addressed four critical vulnerabilities across its product suite:
- CVE-2026-44748 (CVSS score: 9.9): An XML signature wrapping vulnerability in SAML authentication within SAP NetWeaver AS ABAP and ABAP Platform.
- CVE-2026-27671 (CVSS score: 9.8): A memory corruption vulnerability in the Application Server ABAP of SAP NetWeaver and ABAP Platform.
- CVE-2026-22732 (CVSS score: 9.1): A potential Spring security vulnerability within SAP Commerce Cloud and SAP Data Hub.
- CVE-2026-40128 (CVSS score: 9.0): A directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container).
These vulnerabilities could allow authenticated attackers with normal privileges to manipulate identity information, leading to unauthorized access to sensitive user data and potential disruption of system usage. Additionally, unauthenticated attackers could exploit certain flaws to achieve memory corruption by sending crafted requests.
While there is currently no evidence of these vulnerabilities being exploited in the wild, it is imperative for organizations using these products to apply the latest patches promptly. Regularly updating software and implementing robust security measures are essential steps in safeguarding systems against potential threats.
