Fortinet, Ivanti, and SAP Issue Urgent Patches for Critical Flaws

Three major enterprise vendors — Fortinet, Ivanti, and SAP — have released urgent fixes for vulnerabilities that could lead to authentication bypass and remote code execution. These flaws carry CVSS scores between 9.1 and 9.9, underscoring their severity.

Fortinet (CVE‑2025‑59718, CVE‑2025‑59719)

• Products affected: FortiOS, FortiWeb, FortiProxy, FortiSwitchManager.
• Issue: Improper verification of cryptographic signatures (CWE‑347).
• Impact: Allows unauthenticated attackers to bypass FortiCloud SSO login via crafted SAML messages.
• Mitigation:
  • Disable FortiCloud SSO login until patched:
    • GUI: System → Settings → toggle off “Allow administrative login using FortiCloud SSO”.
    • CLI:Codeconfig system global set admin-forticloud-sso-login disable end
• Note: FortiCloud SSO is not enabled by default, only when registered to FortiCare.

Ivanti Endpoint Manager (CVE‑2025‑10573 + 3 others)

• Critical flaw (CVSS 9.6): Stored XSS in EPM core and remote consoles.
  • Exploitable by unauthenticated attackers to poison dashboards with malicious JavaScript.
  • Triggered when an admin views the compromised dashboard → attacker gains control of the session.
• Other patched flaws: CVE‑2025‑13659, CVE‑2025‑13661, CVE‑2025‑13662 (arbitrary code execution).
  • CVE‑2025‑13662 also stems from improper cryptographic signature verification.
• Fix: Update to EPM version 2024 SU4 SR1.
• Status: No known exploitation in the wild yet, but risk is high.

SAP (CVE‑2025‑42880, CVE‑2025‑55754, CVE‑2025‑42928)

• CVE‑2025‑42880 (CVSS 9.9): Code injection in SAP Solution Manager.
  • Exploitable by authenticated attackers to inject arbitrary code.
  • Critical due to Solution Manager’s central role in SAP landscapes.
• CVE‑2025‑55754 (CVSS 9.6): Multiple Apache Tomcat vulnerabilities in SAP Commerce Cloud.
• CVE‑2025‑42928 (CVSS 9.1): Deserialization flaw in SAP jConnect SDK for Sybase ASE.
  • Allows remote code execution with crafted input (requires elevated privileges).
• Fixes included in SAP’s December 2025 patch release (14 vulnerabilities total).

Why This Matters

• These flaws affect core enterprise infrastructure: VPN gateways, endpoint management, and ERP systems.
• Attackers frequently exploit such vulnerabilities for data theft, ransomware, and lateral movement.
• Past campaigns show adversaries move quickly once technical details are public.

Recommended Actions

1. Patch immediately: Apply vendor updates for Fortinet, Ivanti EPM, and SAP products.
2. Disable risky features: FortiCloud SSO login if not needed.
3. Audit logs: Look for suspicious SAML messages, poisoned dashboards, or unusual SAP activity.
4. Harden systems: Restrict admin access, enforce MFA, and monitor for exploitation attempts.
5. Stay updated: Subscribe to vendor advisories and threat intel feeds.