Ivanti, Fortinet, and SAP have released important security updates to mitigate several critical vulnerabilities that pose risks of arbitrary code execution and information disclosure.
Fortinet’s Command Injection Vulnerability
Fortinet has addressed a command injection vulnerability in its FortiSandbox products, tracked as CVE-2026-25089 with a CVSS score of 9.1. This flaw involves an improper neutralization of special elements used in an OS command, which could allow unauthenticated attackers to execute unauthorized commands through specially crafted HTTP requests. The affected products include:
– FortiSandbox versions 5.0.0 to 5.0.5 (upgrade to 5.0.6 or above)
– FortiSandbox versions 4.4.0 to 4.4.8 (upgrade to 4.4.9 or above)
– FortiSandbox Cloud versions 5.0.4 to 5.0.5 (upgrade to 5.0.6 or above)
– FortiSandbox PaaS versions 5.0.4 to 5.0.5 (upgrade to 5.0.6 or above)
Ivanti’s Critical Flaws in Sentry
On June 10, 2026, Ivanti published fixes for two critical vulnerabilities in Ivanti Sentry (formerly MobileIron Sentry). The first, CVE-2026-10520, has a CVSS score of 10.0 and is an operating system command injection vulnerability affecting versions prior to R10.5.2, R10.6.2, and R10.7.1. This flaw allows remote unauthenticated users to achieve root-level remote code execution.
The second vulnerability, CVE-2026-10523, with a CVSS score of 9.9, is an authentication bypass issue that enables remote unauthenticated attackers to create arbitrary administrative accounts, granting full administrative access. Ivanti’s patch includes additional controls to block access to the vulnerable endpoint, redirecting unauthenticated requests to the login page.
SAP’s Vulnerabilities in Multiple Products
SAP has also released updates for four critical vulnerabilities affecting its NetWeaver AS ABAP, ABAP Platform, SAP Commerce Cloud, and SAP Data Hub. These vulnerabilities include:
– CVE-2026-44748 (CVSS score: 9.9): XML signature wrapping vulnerability in SAML authentication.
– CVE-2026-27671 (CVSS score: 9.8): Memory corruption vulnerability in Application Server ABAP.
– CVE-2026-22732 (CVSS score: 9.1): Potential Spring security vulnerability.
– CVE-2026-40128 (CVSS score: 9.0): Directory traversal vulnerability in SAP NetWeaver Application Server Java.
According to SAP security experts, these vulnerabilities could allow attackers to manipulate signed XML documents, leading to unauthorized access to sensitive user data. Notably, there is currently no evidence that these vulnerabilities have been exploited in the wild.
For optimal protection, it is advisable for users to update to the latest versions of the affected products.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
