Ivanti, Fortinet, SAP Patch Critical RCE and Auth Bypass Flaws

Fortinet, Ivanti, and SAP have rolled out urgent security updates addressing multiple critical vulnerabilities that could enable arbitrary code execution, authentication bypass, and information disclosure across widely deployed enterprise products. Fortinet disclosed CVE-2026-25089, a command injection flaw (CVSS 9.1) in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. Tracked as CWE-78, the bug allows an unauthenticated attacker to execute unauthorized OS commands through specially crafted HTTP requests. Affected versions include FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8, with patches available in 5.0.6 and 4.4.9 respectively. Administrators should also run a quick SSL/TLS checker to confirm their sandbox appliances are not exposing management interfaces over insecure channels during remediation.

Ivanti published fixes for two severe flaws in Ivanti Sentry (formerly MobileIron Sentry) that received near-maximum severity scores. CVE-2026-10520 (CVSS 10.0) is an OS command injection vulnerability allowing remote unauthenticated attackers to achieve root-level code execution on versions prior to R10.5.2, R10.6.2, and R10.7.1. According to watchTowr Labs, exploitation targets the "/mics/api/v2/sentry/mics-config/handleMessage" endpoint, which is interpreted as a MICS configuration command by the backend "handleExecute()" component. The second flaw, CVE-2026-10523 (CVSS 9.9), is an authentication bypass permitting unauthenticated attackers to create arbitrary administrative accounts. Researcher's note that Ivanti's patch not only removed attacker control over the vulnerable execution path but also added an authentication layer redirecting unauthenticated requests to the login page. Security teams handling these updates should run a password checker to ensure no admin credentials were compromised during the window of exposure.

Rounding out the patch cycle, SAP released fixes for four critical vulnerabilities affecting NetWeaver AS ABAP, ABAP Platform, SAP Commerce Cloud, and SAP Data Hub. CVE-2026-44748 (CVSS 9.9) is an XML signature wrapping flaw in SAML authentication within NetWeaver AS ABAP and ABAP Platform, while CVE-2026-27671 (CVSS 9.8) is a memory corruption vulnerability in the Application Server ABAP. CVE-2026-22732 (CVSS 9.1) addresses a potential Spring security issue in SAP Commerce Cloud and SAP Data Hub. Given the breadth of these enterprise platforms, security teams should also perform a broader privacy checkup across their SAP landscape to verify segmentation, patch levels, and exposed services before threat actors begin chaining these newly disclosed flaws into active attack campaigns.