Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities

Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure.

The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It’s tracked as CVE-2026-25089 (CVSS score: 9.1).

“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests,” Fortinet said.

The issue impacts the following products and versions –

• FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
• FortiSandbox 4.4.0 through 4.4.8 (Upgrade to 4.4.9 or above)
• FortiSandbox Cloud 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above)
• FortiSandbox PaaS 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above)

On Tuesday, Ivanti also published fixes for two critical security flaws impacting Ivanti Sentry (formerly MobileIron Sentry) –

• CVE-2026-10520 (CVSS score: 10.0) – An operating system command injection vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated user to achieve root-level remote code execution.
• CVE-2026-10523 (CVSS score: 9.9) – An authentication bypass vulnerability before versions R10.5.2, R10.6.2, and R10.7.1 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

watchTowr Labs, which published additional details of CVE-2026-10520, said an attacker could exploit the vulnerability by issuing a specially crafted HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint, which is then interpreted as a MICS configuration command and executed by a backend component named “handleExecute().”

The patch shipped by Ivanti incorporates additional controls that block access to the vulnerable endpoint, causing unauthenticated requests to be redirected to the login page.

“Ivanti did not just remove attacker control over the vulnerable execution path,” security researcher Sonny Macdonald said. “They also added a layer of protection in front of it to make reaching the endpoint significantly more difficult. In other words: they added authentication.”

Rounding off the list of updates is SAP, which pushed out fixes for four critical vulnerabilities in NetWeaver AS ABAP and ABAP Platform, as well as SAP Commerce Cloud and SAP Data Hub –

• CVE-2026-44748 (CVSS score: 9.9) – XML signature wrapping vulnerability in SAML authentication in SAP NetWeaver AS ABAP and ABAP Platform
• CVE-2026-27671 (CVSS score: 9.8) – Memory corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform
• CVE-2026-22732 (CVSS score: 9.1) – Potential Spring security vulnerability within SAP Commerce Cloud and SAP Data Hub
• CVE-2026-40128 (CVSS score: 9.0) – Directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)