Fortinet, Ivanti, and SAP Issue Urgent Patches for Critical Authentication and Code Execution Flaws

Major technology providers Fortinet, Ivanti, and SAP have released urgent security patches addressing critical vulnerabilities that could allow attackers to bypass authentication and execute malicious code across enterprise systems, affecting thousands of organizations worldwide.

These high-severity flaws, carrying CVSS scores of up to 9.9, pose significant risks to corporate networks, with security researchers warning that swift patching is essential as similar vulnerabilities have frequently been exploited by threat actors in the past. Organizations should prioritize these updates as part of their comprehensive cybersecurity strategy and risk management approach.

Critical Vulnerabilities and Affected Systems

Fortinet's critical authentication bypass vulnerabilities

Fortinet has addressed two critical security vulnerabilities (CVE-2025-59718 and CVE-2025-59719) affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Both flaws carry a severe CVSS score of 9.8.

The vulnerabilities stem from improper verification of cryptographic signatures, potentially allowing unauthenticated attackers to bypass the FortiCloud SSO login authentication through crafted SAML messages. This attack vector is only exploitable when the FortiCloud SSO login feature is enabled on affected devices.

"While this vulnerability is severe, the FortiCloud SSO login feature is not enabled in default factory settings," a Fortinet spokesperson explained in their advisory. "The risk only applies to organizations that have registered their devices to FortiCare and haven't disabled the administrative login using FortiCloud SSO toggle."

Organizations using affected Fortinet products should implement the following temporary mitigation until patching is possible:

1. Disable the FortiCloud login feature by navigating to System -> Settings and switching "Allow administrative login using FortiCloud SSO" to Off

2. Alternatively, run the following command in the CLI:

   config system global
   set admin-forticloud-sso-login disable
   end
   

Security experts emphasize that proper configuration management remains crucial for network security. "This is a classic case of how default settings can protect you, but post-installation changes can create vulnerabilities if not properly managed," notes Ensar Seker, CISO at threat intelligence company SOCRadar.

Ivanti addresses critical dashboard poisoning flaw

Ivanti has released updates addressing four security vulnerabilities in its Endpoint Manager (EPM) platform. The most severe, CVE-2025-10573, carries a critical CVSS score of 9.6 and affects the EPM core and remote consoles.

This stored cross-site scripting (XSS) vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code in administrator sessions. Rapid7 security researcher Ryan Emmons, who discovered the flaw, explained that attackers could join fake managed endpoints to the EPM server, poisoning the administrator web dashboard with malicious JavaScript.

"When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator's session," Emmons said.

Douglas McKee, director of vulnerability intelligence at Rapid7, emphasized the severity of the issue: "CVE-2025-10573 represents a serious risk as it's trivial to exploit and can be done by sending a fake device report to the server using a basic file format."

The vulnerability has been patched in EPM version 2024 SU4 SR1, which also addresses three other high-severity flaws:

• CVE-2025-13659 (details not fully disclosed)
• CVE-2025-13661 (details not fully disclosed)
• CVE-2025-13662, which also stems from improper verification of cryptographic signatures in the patch management component

Ivanti noted that while user interaction is required to exploit CVE-2025-10573, this doesn't significantly reduce the threat level. "The likelihood of triggering the exploit during normal operations is high, ultimately allowing the attacker to take control of the administrator's session," McKee added.

SAP patches three critical vulnerabilities

SAP's December security update addresses 14 vulnerabilities across multiple products, including three critical flaws:

1. CVE-2025-42880 (CVSS score: 9.9) – A code injection vulnerability in SAP Solution Manager that allows authenticated attackers to inject arbitrary code.

2. CVE-2025-55754 (CVSS score: 9.6) – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud.

3. CVE-2025-42928 (CVSS score: 9.1) – A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE) that enables remote code execution through specially crafted input, though elevated privileges are required.

Boston-based SAP security platform Onapsis has been credited with reporting two of these critical vulnerabilities. Thomas Fritsch, Onapsis security researcher, emphasized the importance of timely patching: "Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch."

Impact and Recommended Mitigation Strategies

These vulnerabilities present significant risks to enterprise environments, particularly as they affect core infrastructure components that manage critical business systems. The timing of these disclosures creates additional pressure as many IT departments are already stretched thin during the holiday season – reminiscent of the Log4j "Log4Shell" vulnerability that emerged in December 2021 and caused widespread disruption.

Organizations using affected products should:

1. Prioritize patching these vulnerabilities according to their exposure and criticality
2. Implement recommended temporary mitigations if immediate patching isn't possible
3. Monitor for suspicious activity that could indicate exploitation attempts
4. Review system logs for evidence of previous exploitation
5. Conduct security assessments to identify potentially compromised systems

"Remote code execution via JavaScript injection is no longer theoretical in supply chain attacks; it's become operationally viable," warned SOCRadar's Seker. "Organizations must act swiftly to patch, and more importantly, implement rigorous user interface sanitization and privilege segmentation."

The increasing sophistication of attacks targeting enterprise management tools underscores the importance of robust cloud security practices and defense-in-depth strategies. Even when vulnerabilities exist, proper network segmentation, least-privilege access controls, and comprehensive monitoring can help limit an attacker's ability to move laterally through systems.

These patches arrive amid growing concern about the expanding attack surface of modern enterprises, especially as more companies migrate to cloud-based infrastructure and adopt remote work policies that introduce new security challenges. Establishing proper website security protocols and infrastructure protection is becoming increasingly crucial as attackers target business-critical systems.

Enhanced Vulnerability Management Recommendations

In addition to addressing these specific vulnerabilities, organizations should consider implementing the following enhanced security measures:

1. Create a vulnerability response playbook specific to authentication bypass and code execution flaws, with pre-defined roles and responsibilities for rapid remediation.

2. Implement network traffic monitoring focused on detecting SAML manipulation and suspicious administrative session activities.

3. Conduct regular security assessments of SSO implementations across the enterprise, particularly focusing on SAML-based authentication systems.

4. Establish a comprehensive asset inventory to quickly identify affected systems when new vulnerabilities are disclosed.

5. Develop contingency plans for critical system compromise, including isolation procedures and business continuity measures.

According to the National Cybersecurity Alliance, organizations that implement a structured vulnerability management program reduce their risk of successful cyberattacks by up to 80%. Instituting a regular patching cadence and conducting security awareness training for IT staff about the specific risks posed by authentication bypass vulnerabilities can significantly reduce organizational risk.

Security experts recommend documenting all mitigations implemented, whether temporary or permanent, to ensure proper security posture tracking during the remediation process. For organizations with limited security resources, prioritizing the Fortinet and Ivanti vulnerabilities may be prudent, as their unauthenticated nature makes them particularly attractive targets for threat actors.