"An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests," Fortinet said.
That single sentence — part technical diagnosis, part urgent directive — summarizes three separate patch rollouts this week from Fortinet, Ivanti and SAP. Each vendor disclosed critical vulnerabilities that could permit remote code execution or unauthorized access; together they touch sandboxing infrastructure, mobile gateway software, and core enterprise application platforms. None of the vendors reported evidence of exploitation in the wild, but several of the flaws carry near-maximum CVSS scores and explicit upgrade paths.
Fortinet: CVE-2026-25089 in FortiSandbox WEB UI
Fortinet patched a command injection vulnerability tracked as CVE-2026-25089 with a CVSS score of 9.1. The company described the defect as an OS command injection (CWE-78) in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that "may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests."
- Affected releases: FortiSandbox 5.0.0 through 5.0.5; FortiSandbox 4.4.0 through 4.4.8; FortiSandbox Cloud 5.0.4 through 5.0.5; FortiSandbox PaaS 5.0.4 through 5.0.5.
- Remediation path: Fortinet advised upgrades to 5.0.6 or above for the 5.0.x lines and to 4.4.9 or above for the 4.4.x line.
Ivanti Sentry: two critical defects — CVE-2026-10520 and CVE-2026-10523
Ivanti published fixes for two severe flaws in Ivanti Sentry (formerly MobileIron Sentry). CVE-2026-10520, rated CVSS 10.0, is an operating system command injection issue that "allows a remote unauthenticated user to achieve root-level remote code execution" in versions before R10.5.2, R10.6.2, and R10.7.1. CVE-2026-10523, rated CVSS 9.9, is an authentication bypass that "allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access" in those same pre-patch releases.
- Technical detail published by watchTowr Labs notes an attacker could exploit CVE-2026-10520 by issuing a specially crafted HTTP request to the "/mics/api/v2/sentry/mics-config/handleMessage" endpoint, which is then interpreted as a MICS configuration command and executed by a backend component named "handleExecute()."
- Ivanti's patch "incorporates additional controls that block access to the vulnerable endpoint, causing unauthenticated requests to be redirected to the login page," the company said.
- Security researcher Sonny Macdonald characterized Ivanti's approach: "Ivanti did not just remove attacker control over the vulnerable execution path. They also added a layer of protection in front of it to make reaching the endpoint significantly more difficult. In other words: they added authentication."
SAP: four high-severity fixes across NetWeaver, Commerce Cloud and Data Hub
SAP released updates addressing four critical vulnerabilities spanning NetWeaver AS ABAP and ABAP Platform, SAP Commerce Cloud, SAP Data Hub, and SAP NetWeaver Application Server Java (Web Container). The CVEs and scores reported were:
- CVE-2026-44748 (CVSS 9.9) — XML signature wrapping vulnerability in SAML authentication in SAP NetWeaver AS ABAP and ABAP Platform.
- CVE-2026-27671 (CVSS 9.8) — Memory corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform.
- CVE-2026-22732 (CVSS 9.1) — Potential Spring security vulnerability within SAP Commerce Cloud and SAP Data Hub.
- CVE-2026-40128 (CVSS 9.0) — Directory traversal vulnerability in SAP NetWeaver Application Server Java (Web Container).
Onapsis described the XML signature problem this way: "The application allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents with tampered identity information to the verifier." Onapsis added that, "Due to an improper XML signature verification, the manipulated identity information is accepted, leading to unauthorized access to sensitive user data and potential disruption of normal system usage."
Regarding CVE-2026-27671, SAP reported the defect allows an unauthenticated attacker to send a crafted RFC request that exploits how the SAP kernel validates the RFC protocol to achieve memory corruption.
What this means for security teams, procurement leaders, and end users
- Security teams and technologists: Prioritize the specific upgrade paths named by the vendors — Fortinet's 5.0.6/4.4.9 targets and Ivanti releases R10.5.2, R10.6.2, R10.7.1 — and apply SAP's patches for the enumerated CVEs. For the Ivanti command-injection vector, teams should verify that the "/mics/api/v2/sentry/mics-config/handleMessage" endpoint is no longer reachable unauthenticated.
- Procurement and operations leaders: Inventory deployments of FortiSandbox, Ivanti Sentry and affected SAP components to confirm which, if any, run the vulnerable versions listed in vendor advisories, and schedule upgrades in line with maintenance windows.
- End users and administrators: Note that vendors said there is no evidence of exploitation in the wild, but the advisories and the source reminder — "it's always a safe practice to update to the latest version for optimal protection" — support prompt patching where upgrades are available.
Three separate vendor bulletins, three paths to hardening: Fortinet's fix raises the version floor for FortiSandbox, Ivanti's patch both closes the execution path and adds a gatekeeper, and SAP's updates address signature, memory corruption and traversal defects in core platforms. None has a public exploitation trace yet — but with CVSS scores clustered at 9.0 and above, the calculus for most defenders is simple: identify affected instances, apply the vendor-supplied fixes, and verify that the documented endpoints and protocols are no longer exposed.
