Ivanti, Fortinet, SAP, VMware Patch Critical RCE, SQL Injection, Privilege Escalation

Multiple enterprise software vendors have released critical security patches addressing severe vulnerabilities that could allow remote code execution, authentication bypass, and privilege escalation. The most critical flaw affects Ivanti Xtraction (CVE-2026-8043, CVSS 9.6), where an external control of file name vulnerability in versions prior to 2026.2 enables authenticated remote attackers to read sensitive files and write arbitrary HTML to web directories, potentially facilitating information disclosure and client-side attacks. Fortinet has published advisories for two critical improper access control and missing authorization vulnerabilities (CVE-2026-44277 and CVE-2026-26083, both CVSS 9.1) affecting FortiAuthenticator and FortiSandbox product lines, allowing unauthenticated attackers to execute unauthorized code via crafted HTTP requests. Organizations should immediately apply patches using our port scanner to verify exposure across their infrastructure.

SAP has addressed two critical vulnerabilities in its enterprise software portfolio. The first, CVE-2026-34263 (CVSS 9.6), is a missing authentication check in SAP Commerce Cloud caused by overly permissive security configuration with improper rule ordering, enabling unauthenticated users to perform malicious configuration uploads and code injection for arbitrary server-side execution. The second, CVE-2026-34260 (CVSS 9.6), is an SQL injection vulnerability in SAP S/4HANA where low-privileged authenticated attackers can inject malicious SQL code via user-controlled input, potentially exposing sensitive database information and impacting application availability. Security teams should leverage our password checker to audit privileged account credentials and DNS leak test to ensure secure connectivity during remediation efforts.

Broadcom has released a fix for VMware Fusion (CVE-2026-41702, CVSS 7.8), a high-severity time-of-check time-of-use (TOCTOU) vulnerability occurring during operations performed by a SETUID binary that could enable local privilege escalation. The patch has been included in VMware Fusion version 26H1. This vulnerability highlights the ongoing challenges in desktop virtualization security, particularly with system-level binaries. Organizations running affected VMware Fusion versions should update immediately and conduct comprehensive security assessments to detect any signs of exploitation. Administrators can use our privacy checkup tool to verify system configurations and ensure no sensitive data exposure has occurred from these vulnerabilities.