Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.
The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).
“An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in an advisory.
The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle “Allow administrative login using FortiCloud SSO” in the registration page.
To temporarily protect their systems against attacks exploiting these vulnerabilities, organizations are advised to disable the FortiCloud login feature (if enabled) until it can be updated. This can be done in two ways –
- Go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off
- Run the below command in the CLI –
config system global
set admin-forticloud-sso-login disable
endIvanti Releases Fix for Critical EPM Flaw
Ivanti has also shipped updates to address four security flaws in Endpoint Manager (EPM), one of which is a critical severity bug in the EPM core and remote consoles. The vulnerability, assigned the CVE identifier CVE-2025-10573, carries a CVSS score of 9.6.
“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session,” Ivanti said.
Rapid7 security researcher Ryan Emmons, who discovered and reported the shortcoming on August 15, 2025, said it allows an attacker with unauthenticated access to the primary EPM web service to join fake managed endpoints to the EPM server so as to poison the administrator web dashboard with malicious JavaScript.
“When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session,” Emmons said.
The company noted that user interaction is required to exploit the flaw and that it’s not aware of any attacks in the wild. It has been patched in EPM version 2024 SU4 SR1.
Also patched in the same version are three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662) that could allow a remote, unauthenticated attacker to achieve arbitrary code execution. CVE-2025-13662, like in the case of CVE-2025-59718 and CVE-2025-59719, stems from improper verification of cryptographic signatures in the patch management component.
SAP Fixes Three Critical Flaws
Lastly, SAP has pushed December security updates to address 14 vulnerabilities across multiple products, including three critical-severity flaws. They are listed below –
- CVE-2025-42880 (CVSS score: 9.9) – A code injection vulnerability in SAP Solution Manager
- CVE-2025-55754 (CVSS score: 9.6) – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
- CVE-2025-42928 (CVSS score: 9.1) – A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE)
Boston-based SAP security platform Onapsis has been credited with reporting CVE-2025-42880 and CVE-2025-42928. The company said it identified a remote-enabled function module in SAP Solution Manager that enables an authenticated attacker to inject arbitrary code.
“Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch,” Onapsis security researcher Thomas Fritsch said.
CVE-2025-42928, on the other hand, allows for remote code execution by providing specially crafted input to the SAP jConnect SDK component. However, a successful exploitation requires elevated privileges.
With security vulnerabilities in Fortinet, Ivanti, and SAP’s software frequently exploited by bad actors, it’s essential that users move quickly to apply the fixes.
