Fortinet, Ivanti patch critical authentication and code-execution flaws

Fortinet and Ivanti have released security updates to address multiple critical and high-risk vulnerabilities that could enable attackers to bypass authentication mechanisms or execute malicious code on affected systems.

Fortinet’s patches cover serious flaws in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, stemming from improper verification of cryptographic signatures. Tracked as CVE-2025-59718 and CVE-2025-59719, the vulnerabilities could allow an unauthenticated attacker to bypass FortiCloud SSO login protections using a crafted SAML message.

“An Improper Verification of Cryptographic Signature vulnerability in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in its advisory.

The company noted that FortiCloud SSO is disabled by default, but may be activated when administrators register a device with FortiCare. As a precaution, organizations using the feature are urged to disable FortiCloud login temporarily until patches are fully deployed.

Ivanti, meanwhile, has issued fixes for four security issues in its Endpoint Manager (EPM) product, including a high-risk vulnerability (CVE-2025-10573) affecting the EPM core and remote consoles. The flaw, which is a stored cross-site scripting (XSS) issue, allows remote, unauthenticated attackers to run arbitrary JavaScript in an administrator’s browser session.

“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required,” Ivanti noted.

The vulnerability was reported by Rapid7 researcher Ryan Emmons, who discovered that it could be exploited by adding maliciously crafted fake endpoints to the EPM server. When administrators view compromised dashboard elements, the attacker’s JavaScript executes automatically, effectively taking over the session.


Back to the list

Latest Posts

Cyber Security Week in Review: January 16, 2026

In brief: Microsoft fixes a Windows zero-day flaw, Russian hackers target Ukraine posing as charities, and more.
16 January 2026

RedVDS cybercrime platform disrupted in global takedown

RedVDS sold access to disposable virtual Windows servers for as little as $24 a month, allowing criminals to run fraud and phishing operations at scale.
15 January 2026

Administrator of AVCheck malware testing service arrested in the Netherlands

The man is suspected of facilitating cybercrime by allowing malware devs to test whether their software could bypass antivirus protections.
15 January 2026
Popular Posts
Featured vulnerabilities
Stored XSS in Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure
Low Patched | 15 Jan, 2026
Stored XSS in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC)
Low Patched | 15 Jan, 2026
Stored XSS in Cisco Identity Services Engine (ISE)
Low Patched | 15 Jan, 2026
Multiple vulnerabilities in HPE Networking Instant On Access Points
Medium Patched | 15 Jan, 2026
Privilege escalation in HPE Aruba Networking Virtual Intranet Access (VIA) Linux Client
Low Patched | 15 Jan, 2026