Fortinet, Ivanti, and SAP have released coordinated security updates addressing multiple critical vulnerabilities across enterprise security, mobile infrastructure, and core business applications. The flaws carry high severity ratings and include risks such as arbitrary code execution, authentication bypass, and sensitive data exposure, affecting widely deployed enterprise platforms used in security monitoring, mobile device management, and ERP environments.
Fortinet addressed a critical command injection vulnerability identified as CVE-2026-25089 with a CVSS score of 9.1, impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. The flaw stems from improper neutralization of special elements used in operating system commands, categorized under CWE-78. According to Fortinet, the vulnerability could allow an unauthenticated attacker to execute unauthorized commands through specially crafted HTTP requests. The issue affects multiple product versions including FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5. Updated versions 5.0.6 or above and 4.4.9 or above address the flaw, and organizations using these environments are advised to upgrade as part of routine patch management cycles to mitigate potential exploitation risks.
Ivanti also released fixes for two critical vulnerabilities impacting Ivanti Sentry, previously known as MobileIron Sentry, which are tracked as CVE-2026-10520 and CVE-2026-10523. The first issue, CVE-2026-10520, carries a CVSS score of 10.0 and relates to an operating system command injection flaw that could allow a remote unauthenticated attacker to achieve root level remote code execution on affected systems prior to versions R10.5.2, R10.6.2, and R10.7.1. The second vulnerability, CVE-2026-10523, has a CVSS score of 9.9 and involves an authentication bypass weakness that allows a remote attacker to create arbitrary administrative accounts and gain full administrative access. Security researchers from watchTowr Labs reported that CVE-2026-10520 could be exploited by sending a specially crafted HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint, which is then interpreted as a configuration command executed by a backend function named handleExecute(). Ivanti has addressed these flaws by adding controls that restrict access to the vulnerable endpoint, redirecting unauthenticated requests to the login interface and effectively introducing stronger authentication enforcement across the affected path.
SAP has also pushed security updates to address four critical vulnerabilities affecting SAP NetWeaver AS ABAP, ABAP Platform, SAP Commerce Cloud, and SAP Data Hub. The vulnerabilities include CVE-2026-44748, a CVSS 9.9 XML signature wrapping issue in SAML authentication, CVE-2026-27671, a CVSS 9.8 memory corruption flaw in SAP NetWeaver Application Server ABAP, CVE-2026-22732, a CVSS 9.1 potential Spring security issue, and CVE-2026-40128, a CVSS 9.0 directory traversal vulnerability in SAP NetWeaver Application Server Java Web Container. According to SAP security firm Onapsis, the XML signature flaw could allow an authenticated attacker with standard privileges to modify signed XML documents and manipulate identity information, which may lead to unauthorized access to sensitive user data. The memory corruption vulnerability allows crafted RFC requests to exploit kernel level validation weaknesses, potentially leading to system instability or exploitation. SAP noted that while the vulnerabilities are severe, there is no current evidence of active exploitation in real world environments, though organizations are strongly advised to apply patches promptly to reduce exposure risks across enterprise deployments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
