Notable Vulnerabilities in Fortinet, Ivanti, and SAP
Recently, a series of major technology names such as Fortinet, Ivanti, and SAP have released urgent patches for critical vulnerabilities existing in their products. These are all dangerous flaws that allow attackers to bypass authentication mechanisms and execute remote code on the affected systems.
Fortinet Vulnerabilities
Vulnerability Identifiers: CVE-2025-59718 và CVE-2025-59719
CVSS (3.1) Score: 9.8
Severity: CRITICAL
Description: According to Fortinet, these two critical vulnerabilities stem from an improper verification of a cryptographic signature, allowing an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a malicious SAML message, thereby gaining administrative access to FortiOS, FortiWeb, FortiProxy, or FortiSwitchManager.
Affected Versions:
FortiOS:
7.0.0through7.0.17,7.2.0through7.2.11,7.4.0through7.4.8,7.6.0through7.6.3FortiProxy:
7.0.0through7.0.21,7.2.0through7.2.14,7.4.0through7.4.10,7.6.0through7.6.3FortiSwitchManager:
7.0.0through7.0.5,7.2.0through7.2.6FortiWeb:
7.4.0through7.4.9,7.6.0through7.6.4and8.0.0
Recommendation & Mitigation: Users and administrators need to update the affected products to the latest versions. For cases where system updates cannot be performed in the short term, the FortiCloud login feature must be disabled (if this function is currently enabled) until an update can be applied. There are two ways to perform this deactivation:
Go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off.
Run the command below in the CLI:
config system global
set admin-forticloud-sso-login disable
end
Ivanti Vulnerabilities
Vulnerability Identifiers: CVE-2025-10573
CVSS (3.1) Score: 9.6
Severity: CRITICAL
Description: According to Ivanti, the Stored XSS flaw in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker the right to execute arbitrary JavaScript within the login session of administrators.
Stored XSS is a type of web security vulnerability where malicious code (usually JavaScript) is permanently stored on the server, and then automatically executed when a legitimate user accesses the infected content.
In this case, an attacker can send a report containing a malicious payload from a forged device to the primary EPM web service. This tricks the server into processing the received report and storing the JavaScript payload into the fields displaying device information on the administrative dashboard within the database. Once an administrator logs in and views those fields, their browser will automatically load and execute the malicious payload, allowing the hacker to gain access to the system and execute code within the administrator's login session.
Additionally, Ivanti also announced that three other High-severity vulnerabilities exist in the Ivanti Endpoint Manager product, which received patches along with CVE-2025-10573. These vulnerabilities, identified as CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662, allow an unauthenticated hacker to perform path traversal attacks, conduct unauthorized file writing, and achieve remote code execution on the system, respectively.
Affected Versions: Ivanti Endpoint Manager version 2024 SU4 and earlier versions
Recommendation & Mitigation: Update to the latest version of Ivanti Endpoint Manager: version 2024 SU4 SR1. For cases where the update cannot be performed in the short term, Ivanti recommends that users and administrators do not expose the system to the public internet, and also refrain from connecting to unknown servers or installing untrusted configuration files.
SAP Vulnerabilities
SAP also did not stay out of the "race" for critical security vulnerabilities, as the company recently released patches for 14 flaws across its products, including three extremely critical vulnerabilities:
CVE-2025-42880 (CVSS score: 9.9) - A code injection vulnerability in SAP Solution Manager
CVE-2025-55754 (CVSS score: 9.6) - Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
CVE-2025-42928 (CVSS score: 9.1) - A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE)
With vulnerabilities related to code injection and deserialization, attackers typically send malicious payloads designed to be executed by the processing component (for example, sending a request containing a malicious serialized object to jConnect or sending data that forces SolMan to execute commands). Low-privilege accounts can be exploited to insert and execute code on the system, posing a serious threat to information security, and causing significant damage to organizations and businesses under attack.
With the flaws in Apache Tomcat, attackers can cause code execution or file retrieval if Tomcat is exposed to the Internet. All these forms can be integrated into a complex attack chain: Remote Attack → Privilege Escalation → Lateral Movement → Data Manipulation/Malware Deployment.
- Recommendation & Mitigation: Update to the latest versions across SAP products, particularly addressing the three extremely critical vulnerabilities mentioned above. Additionally, users and administrators need to limit the exposure of web/Tomcat services to the public internet, enable MFA (Multi-Factor Authentication) for SAP administrative accounts, implement proper privilege segregation for accounts on the system, and simultaneously deploy WAF (Web Application Firewall) and VPN combined with 24/7 log review and security monitoring for critical services.
