Fortinet and Ivanti on Tuesday rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws.
Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal.
The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.
Remote, unauthenticated attackers could exploit the weakness via specially crafted HTTP requests to execute arbitrary commands on vulnerable appliances, the company’s advisory reads.
Patches for the CVE were included in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6.
The other two vulnerabilities that Fortinet patched on Tuesday are medium-severity flaws in FortiOS and FortiProxy, and FortiPortal API, respectively. Authenticated users could exploit them for script execution and to disclose sensitive network configuration data.
Fortinet makes no mention of any of these security defects being exploited in the wild.
On Tuesday, Ivanti released Sentry versions 10.5.2, 10.6.2, and 10.7.1 and Endpoint Manager Mobile (EPMM) versions 12.9.0.1, 12.8.0.3, and 12.7.0.2 with fixes for two security weaknesses each.
The Sentry update resolves two critical-severity bugs, including CVE-2026-10520 (CVSS score of 10), an OS command injection issue that could be exploited remotely, without authentication, to execute arbitrary code with root privileges.
Tracked as CVE-2026-10523 (CVSS score of 9.9), the second flaw is an authentication bypass that could allow remote, unauthenticated attackers to create user accounts with the role of administrator and gain full access to vulnerable appliances.
The EPMM update addresses two high-severity vulnerabilities, tracked as CVE-2026-6973 and CVE-2026-10727, that could allow authenticated attackers to achieve remote code execution via arbitrary Apache directives, and execute arbitrary commands with root privileges, respectively.
Ivanti says it has no evidence of any of these security flaws being exploited in the wild.
Related: Microsoft Patches 200 Vulnerabilities
Related: Adobe Patches 123 Vulnerabilities
Related: OpenSSL Patches High-Severity Vulnerability Found With AI
Related: SAP Patches Critical NetWeaver, Commerce Vulnerabilities
