Cybersecurity leaders Fortinet, Ivanti, and SAP have issued urgent patches for critical security vulnerabilities discovered in their respective products. These flaws, if exploited, could allow attackers to bypass authentication and execute arbitrary code, posing a significant threat to enterprise security. Organizations are strongly advised to apply these updates immediately to protect their systems from potential compromise.
Fortinet Addresses Critical Authentication Bypass Vulnerabilities
Fortinet has released security updates to resolve two critical vulnerabilities affecting its FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products. The flaws, tracked as CVE-2025-59718 and CVE-2025-59719, both carry a CVSS score of 9.8, indicating a severe risk. According to Fortinet’s advisory, these vulnerabilities stem from an improper verification of cryptographic signatures.
Specifically, an unauthenticated attacker could exploit this weakness by sending a specially crafted SAML message to bypass the FortiCloud Single Sign-On (SSO) login authentication, provided this feature is enabled on the affected device. Fortinet clarified that the FortiCloud SSO login feature is not enabled by default in factory settings. It becomes active when an administrator registers a device to FortiCare and does not disable the “Allow administrative login using FortiCloud SSO” toggle on the registration page.
To mitigate the risk before applying the patches, organizations that have enabled FortiCloud SSO login are recommended to temporarily disable the feature. This can be accomplished either through the system settings by navigating to System > Settings and switching “Allow administrative login using FortiCloud SSO” to Off, or by executing the following command in the Command Line Interface (CLI):
config system global
set admin-forticloud-sso-login disable
endApplying the official updates is the definitive solution to remediate these critical Fortinet vulnerabilities.
Ivanti Releases Fixes for Critical EPM Flaw and Other High-Severity Bugs
Meanwhile, Ivanti has also addressed critical security issues, releasing updates for its Endpoint Manager (EPM) product. A particularly concerning vulnerability, CVE-2025-10573, with a CVSS score of 9.6, resides in the EPM core and its remote consoles. This flaw allows for stored cross-site scripting (XSS), enabling a remote, unauthenticated attacker to execute arbitrary JavaScript within the context of an administrator’s session.
Security researcher Ryan Emmons of Rapid7 discovered and reported the vulnerability in August 2025. His findings indicate that an attacker gaining unauthenticated access to the primary EPM web service could register fake managed endpoints to the EPM server. This action would then poison the administrator’s web dashboard with malicious JavaScript. When an administrator views the compromised dashboard, the passive interaction triggers client-side JavaScript execution, granting the attacker control over the administrator’s session.
Ivanti has stated that user interaction is necessary for exploitation and that they are unaware of any active exploitation in the wild. This critical flaw has been patched in EPM version 2024 SU4 SR1. In addition to this critical vulnerability, Ivanti’s update also resolves three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662). Notably, CVE-2025-13662, similar to the Fortinet critical flaws, arises from improper verification of cryptographic signatures within the patch management component and could lead to arbitrary code execution.
SAP Issues Patches for Three Critical Vulnerabilities
SAP has rounded out the list of urgent security advisories by releasing its December security updates. These updates address a total of 14 vulnerabilities across various SAP products, including three rated as critical severity. The most severe critical flaws are:
- CVE-2025-42880 (CVSS score: 9.9) – A code injection vulnerability affecting SAP Solution Manager.
- CVE-2025-55754 (CVSS score: 9.6) – Multiple vulnerabilities within the Apache Tomcat component of SAP Commerce Cloud.
- CVE-2025-42928 (CVSS score: 9.1) – A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE).
Onapsis, an SAP security platform provider, is credited with reporting CVE-2025-42880 and CVE-2025-42928. According to Onapsis, CVE-2025-42880 exploits a remote-enabled function module in SAP Solution Manager, allowing an authenticated attacker to inject arbitrary code. Given the central role of SAP Solution Manager in many SAP landscapes, timely patching is strongly recommended.
CVE-2025-42928, while rated with a slightly lower critical score, can still lead to remote code execution. This requires an attacker to provide specifically crafted input to the SAP jConnect SDK component, and successful exploitation necessitates elevated privileges. With malicious actors frequently targeting vulnerabilities in solutions from companies like Fortinet, Ivanti, and SAP, the proactive application of vendor-provided patches remains the most effective defense.
The continuous stream of critical vulnerabilities from major vendors like Fortinet, Ivanti, and SAP underscores the ongoing need for organizations to maintain robust patch management programs. Users of affected products should prioritize applying these security updates promptly. The next steps for affected organizations involve assessing their exposure, planning the deployment of patches, and verifying successful implementation to ensure their systems are protected against these critical threats.