Fortinet, Ivanti and SAP released security updates addressing multiple critical vulnerabilities that could allow authentication bypasses, arbitrary code execution or session takeover if exploited, the vendors said.
Fortinet said the flaws in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager are tied to improper verification of a cryptographic signature and are tracked as CVE-2025-59718 and CVE-2025-59719 with CVSS scores of 9.8; an attacker could bypass FortiCloud single sign-on (SSO) via a crafted SAML message if the feature is enabled. The company noted FortiCloud SSO is not enabled by default and provided temporary mitigation steps to disable the feature through the system settings or by running the CLI commands to set admin-forticloud-sso-login to disable until devices can be updated.
Ivanti issued an update for Endpoint Manager (EPM) to fix four vulnerabilities, including a critical stored cross-site scripting flaw, CVE-2025-10573, with a CVSS score of 9.6 that can allow unauthenticated attackers to execute JavaScript in an administrator session. Rapid7 researcher Ryan Emmons, who reported the issue, described how an attacker with unauthenticated access to the EPM web service can join fake endpoints and poison administrator dashboards to trigger client-side JavaScript and hijack sessions.
Ivanti noted the stored XSS requires user interaction and that it is not aware of exploitation in the wild; the fixes are included in EPM version 2024 SU4 SR1. The same update also addresses three other high-severity issues (CVE-2025-13659, CVE-2025-13661 and CVE-2025-13662) that could lead to remote code execution, with CVE-2025-13662 linked to improper cryptographic signature verification in the patch management component.
SAP published December security notes fixing 14 vulnerabilities across products, including three critical flaws: CVE-2025-42880 (code injection in SAP Solution Manager, CVSS 9.9), CVE-2025-55754 (issues in Apache Tomcat within SAP Commerce Cloud, CVSS 9.6) and CVE-2025-42928 (deserialization in SAP jConnect SDK for Sybase ASE, CVSS 9.1). The research firm Onapsis has been credited with reporting the Solution Manager and jConnect issues and recommended timely patching given the central role of Solution Manager in SAP landscapes, while SAP posted the updates on its support portal.
With these vendors frequently targeted by threat actors, organisations are urged to apply the available updates promptly and to implement the vendors’ recommended mitigations where immediate patching is not feasible.