Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Fortinet and Ivanti on Tuesday rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws.
Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal.
The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.
Remote, unauthenticated attackers could exploit the weakness via specially crafted HTTP requests to execute arbitrary commands on vulnerable appliances, the company’s advisory reads.
Patches for the CVE were included in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6.
The other two vulnerabilities that Fortinet patched on Tuesday are medium-severity flaws in FortiOS and FortiProxy, and FortiPortal API, respectively. Authenticated users could exploit them for script execution and to disclose sensitive network configuration data.
Advertisement. Scroll to continue reading.
Fortinet makes no mention of any of these security...
Copyright of this story solely belongs to securityweek.com. To see the full text click HERE