Three major enterprise technology vendors — Fortinet, Ivanti, and SAP — have issued security patches addressing critical flaws that could let attackers execute arbitrary code, take control of administrative accounts, or access sensitive data on affected systems. According to available reporting, some of the disclosed vulnerabilities carry CVSS scores as high as 10.0.
FortiSandbox Command Injection Among the Documented Flaws
The most clearly documented flaw in this round of disclosures is a command injection vulnerability affecting Fortinet's FortiSandbox product line, including its Cloud and PaaS deployments. The flaw, identified in the source report as CVE-2026-25089, is described as carrying a CVSS score of 9.1 — placing it in the critical severity tier.
Command injection vulnerabilities allow an attacker to execute arbitrary operating system commands on a targeted system. In the context of FortiSandbox — a product designed to isolate and analyse suspicious files to detect threats — a successful exploit could undermine an organisation's threat detection capabilities and potentially provide a foothold into the broader network environment.
The vulnerability affects the product's web-based user interface, making it a particularly attractive target for remote attackers. Fortinet has released patches for all three affected deployment models, and administrators are advised to apply updates as soon as practicable.
Ivanti and SAP Also Issue Fixes
The same disclosure covers security updates from Ivanti and SAP, though full details — including specific CVE identifiers and affected products — were not available at the time of reporting. Both vendors are known to manage large portfolios of enterprise infrastructure and business software, and their critical patches typically carry significant implications for organisations running their platforms.
SAP, in particular, serves a vast global customer base spanning enterprise resource planning, supply chain management, and business analytics. Past critical vulnerabilities in SAP products have drawn attention from national cyber security agencies due to the sensitive data they often protect.
Ivanti, meanwhile, has faced repeated scrutiny in recent years over vulnerabilities in its endpoint management and network access products, with multiple flaws actively exploited in the wild.
A Reminder of Patch Discipline
The coordinated timing of these disclosures underscores the ongoing challenge enterprise IT teams face in keeping pace with security advisories from multiple vendors simultaneously. Organisations running any of the affected products should review their vendor's official advisory for the most current patching guidance.
It is worth noting that the full scope of the Ivanti and SAP advisories remains incomplete in publicly available reporting. Once those vendors publish detailed security bulletins with specific CVE identifiers, additional updates or follow-up coverage may be warranted.
For IT administrators, the FortiSandbox command injection flaw remains among the most urgent items on this list, given its critical CVSS rating and the nature of the affected interface. Organisations unable to patch immediately should consider restricting access to the FortiSandbox web UI as a temporary mitigation measure while testing and deploying the update. Given that certain vulnerabilities in this disclosure carry the maximum possible severity score, prompt review of all three vendors' advisories should be treated as a priority.
三大企業級科技供應商——Fortinet、Ivanti 及 SAP——已發佈安全修補程式,以處理一系列關鍵漏洞。這些漏洞可能允許攻擊者在受影響的系統上執行任意程式碼、接管管理員帳戶,或存取敏感資料。根據現有報導,部分披露的漏洞通用漏洞評分系統(CVSS)評分高達 10.0。
FortiSandbox 命令注入漏洞為已記錄漏洞之一
在本輪披露中,記錄最為詳盡的漏洞是影響 Fortinet 旗下 FortiSandbox 產品線的一個命令注入漏洞,其範圍涵蓋雲端及平台即服務(PaaS)部署模式。根據來源報導,該漏洞識別為 CVE-2026-25089,據報 CVSS 評分為 9.1,屬於關鍵嚴重性等級。
命令注入漏洞允許攻擊者在目標系統上執行任意的作業系統指令。對於 FortiSandbox 這類旨在隔離及分析可疑檔案以偵測威脅的產品而言,成功的攻擊利用可能削弱企業的威脅偵測能力,並可能成為進入更廣泛網絡環境的立足點。
此漏洞影響產品基於網頁的使用者介面,使其成為遠端攻擊者特別具吸引力的目標。Fortinet 已為所有三種受影響的部署模式發佈修補程式,建議管理員盡快在可行情況下套用更新。
Ivanti 及 SAP 同步發佈修補程式
同一次披露亦涵蓋來自 Ivanti 及 SAP 的安全更新,惟報導時尚無法獲取完整詳情,包括具體的 CVE 識別碼及受影響產品。已知兩家供應商均管理龐大的企業基礎設施及商業軟件組合,其關鍵修補程式通常對運行其平台的機構具有重大影響。
特別是 SAP,其服務覆蓋龐大的全球客戶群,橫跨企業資源規劃、供應鏈管理及商業分析領域。過去 SAP 產品的關鍵漏洞曾因其常保護的敏感資料而引起國家網絡安全機構的關注。
另一方面,Ivanti 近年來因其端點管理及網絡存取產品中的漏洞而面臨持續審查,且已有多個漏洞在野外被積極利用。
對修補紀律的再次提醒
這些漏洞披露時間的協調一致,突顯了企業資訊科技團隊在同步跟蹤多個供應商安全公告方面所面臨的持續挑戰。運行任何受影響產品的機構,應查閱其供應商的官方公告以獲取最新的修補指引。
值得注意的是,Ivanti 及 SAP 公告的完整範圍在現有公開報導中仍不完整。一旦這些供應商發佈包含具體 CVE 識別碼的詳細安全公告,可能需要額外的更新或跟進報導。
對於資訊科技管理員而言,鑑於其關鍵 CVSS 評分及受影響介面的性質,FortiSandbox 命令注入漏洞仍是本次列表中最為緊急的項目之一。無法立即修補的機構,應考慮在測試及部署更新期間,限制對 FortiSandbox 網頁介面的存取,作為臨時的緩解措施。鑑於本次披露中部分漏洞獲評最高可能的嚴重性評分,應將盡速審閱三家供應商的公告列為優先事項。