Fortinet, Ivanti, SAP ship urgent fixes for RCE, auth bypass

Fortinet, Ivanti, SAP ship urgent fixes for RCE, auth bypass
December 10, 2025 at 12:00 AM

Vendors are rushing out critical patches after severe flaws in Fortinet, Ivanti, and SAP products were found to enable authentication bypass and remote code execution.

Fortinet

  • Affected products: FortiOS, FortiWeb, FortiProxy, FortiSwitchManager
  • CVEs: CVE-2025-59718, CVE-2025-59719 (CVSS 9.8)
  • Issue: Improper verification of cryptographic signatures lets an attacker bypass FortiCloud SSO authentication with a crafted SAML message (when the feature is enabled)
  • Default posture: FortiCloud SSO is not enabled out of the box. It is enabled when a device is registered to FortiCare and the toggle remains on
  • Temporary mitigation: Disable FortiCloud SSO login until patched
    • UI: System > Settings > switch "Allow administrative login using FortiCloud SSO" to Off
    • CLI: config system global; set admin-forticloud-sso-login disable; end

Ivanti

  • Affected: Endpoint Manager (EPM) core and remote consoles prior to 2024 SU4 SR1
  • CVE: CVE-2025-10573 (CVSS 9.6), stored XSS leading to arbitrary JavaScript in the context of an admin session
  • Exploit path: An unauthenticated attacker can register fake endpoints that poison the admin dashboard; execution occurs when an admin views the interface
  • Status: Fixed in EPM 2024 SU4 SR1; no known in-the-wild exploits reported
  • Also fixed (high severity, potential RCE): CVE-2025-13659, CVE-2025-13661, CVE-2025-13662; CVE-2025-13662 stems from improper verification of cryptographic signatures in patch management

SAP

  • December updates address 14 vulnerabilities, including three critical issues:
    • CVE-2025-42880 (CVSS 9.9): Code injection in SAP Solution Manager (reported by Onapsis) — patch promptly due to Solution Manager’s central role
    • CVE-2025-55754 (CVSS 9.6): Multiple Apache Tomcat flaws within SAP Commerce Cloud
    • CVE-2025-42928 (CVSS 9.1): Deserialization vulnerability in SAP jConnect SDK for Sybase ASE enabling RCE; requires elevated privileges (reported by Onapsis)

What to do now

  • Patch Fortinet, Ivanti EPM, and impacted SAP components immediately
  • If applicable, disable Fortinet FortiCloud SSO login until updates are applied
  • Reduce risk: enforce UI sanitization and least-privilege segmentation; train admins on dashboard hygiene
  • Monitor for suspicious SAML activity, unexpected device reports, and admin session anomalies

Source: The Hacker News

Back…