Fortinet, Ivanti, and SAP Issue Urgent Patches for High-Risk Authentication and Code Execution Flaws

Fortinet, Ivanti, and SAP have all issued important security updates that address multiple vulnerabilities, which if not fixed, would allow attackers to bypass authentication, inject malware, or gain control over admin sessions.

Fortinet: SAML Abuse Leading to Authentication Bypass

Fortinet has tackled three major bugs that have been around the FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager systems. Assigned CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8) respectively, the flaws are caused by the mishandling of cryptographic signatures.

Fortinet claims that the vulnerability makes it possible for an attacker without prior authentication to create a harmful SAML message and thus sidestep the FortiCloud SSO login process but this is only if the feature is turned on. The devices do not have FortiCloud SSO turned on by default; the feature comes into play only when the device is registered with FortiCare and the setting “Allow administrative login using FortiCloud SSO” is left on.

While waiting for the patches, it is recommended by Fortinet to turn off FortiCloud SSO from the system settings or using the CLI. This blocks the attackers from taking advantage of the flawed signature checks.

Ivanti: Critical EPM Dashboard Compromise

Alongside the fixing of a critical issue in the main platform and remote consoles, Ivanti also released a bug fix for Endpoint Manager (EPM). The most serious vulnerability, CVE-2025-10573 (CVSS 9.6), is a stored cross-site scripting vulnerability that gives a remote unauthenticated attacker the power to run any JavaScript commands inside an administrator's browser session.

The problem, which was disclosed by Rapid7 researcher Ryan Emmons, provides a way for an attacker to create false devices on the EPM server and even insert the malicious JavaScript into the charts/graphs visible to the administrator. When an admin later looks at the chart/graph as part of periodic checking, the script runs and the hacker may take over the administrator's session.

Douglas McKee of Rapid7 remarked that it is very easy to take advantage of the flaw because the hacker just needs to use a basic file format for the malware to reach its target. Even though security professionals say that the process still requires user interaction, they nevertheless regard the threat as considerable because dashboard checks are performed daily by the admin. However, Ivanti insists that there have been no incidents of exploitation in the real world so far. The issue is addressed in the EPM version 2024 SU4 SR1.

The same release also addressed three more high-severity vulnerabilities, namely CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662. One of them, CVE-2025-13662, is based on incorrect verification of cryptographic signatures akin to the Fortinet vulnerabilities and provides a chance for remote code execution.

SAP: Three Major Vulnerabilities Fixed

The December patch from SAP has tackled 14 bugs, of which three were rated as critical:

• CVE-2025-42880 (CVSS 9.9): Code injection in SAP Solution Manager
  

• CVE-2025-55754 (CVSS 9.6): A series of Apache Tomcat issues in SAP Commerce Cloud
  

• CVE-2025-42928 (CVSS 9.1): A flaw in the SAP jConnect SDK for Sybase ASE deserialization

The initial and the last of the vulnerabilities were reported by Onapsis experts. The defect in SAP Solution Manager allows authenticated users to insert any code they want, while CVE-2025-42928 can result in remote code execution via specially prepared inputs, yet the attacker would still need to have high privileges.