On Tuesday, Fortinet and Ivanti announced the release of critical patches aimed at fixing multiple security vulnerabilities within their product lines. The updates address a total of 18 flaws, three of which are classified as critical in terms of severity.
Fortinet’s Critical Security Fixes
Fortinet issued 11 advisories revealing several vulnerabilities, two of which are critical. The first flaw, identified as CVE-2026-44277 with a CVSS score of 9.1, is an improper access control issue in FortiAuthenticator. This vulnerability allows unauthorized remote access through specially crafted requests. Notably, FortiAuthenticator Cloud users remain unaffected.
The second critical flaw, CVE-2026-26083, also with a CVSS score of 9.1, involves a missing authorization issue in FortiSandbox, affecting both its cloud and PaaS WEB UI versions. Remote attackers could exploit this vulnerability through crafted HTTP requests, potentially enabling code or command execution.
Additionally, Fortinet addressed a high-severity out-of-bounds write vulnerability (CVE-2025-53844) in the FortiOS capwap daemon, which could lead to unauthorized code execution on FortiGate devices. This vulnerability requires an attacker to control an authenticated FortiAP, FortiExtender, or FortiSwitch.
Ivanti’s Security Updates
Ivanti released four advisories covering seven security defects across various products, including Ivanti Secure Access Client, Xtraction, Virtual Traffic Manager, and Endpoint Manager (EPM). The most severe issue, CVE-2026-8043, scored at 9.6, is an external control of file names vulnerability in Xtraction. This flaw could allow unauthorized reading of sensitive files and writing of arbitrary HTML files.
Ivanti also mitigated four high-severity vulnerabilities, which include SQL injection and incorrect permissions assignments in EPM, an OS command injection in Virtual Traffic Manager, and a race condition in Secure Access Client. These vulnerabilities pose risks of privilege escalation and remote code execution.
No Exploitation Detected
Both companies have stated that, as of now, there is no evidence that these vulnerabilities have been exploited in the wild. The swift release of patches underlines the ongoing commitment of Fortinet and Ivanti to protect their users from potential cyber threats.
In related security news, Zoom also released updates on Tuesday, addressing three security issues, including two high-severity vulnerabilities in their Rooms for Windows and Workplace VDI Plugin for Windows, which could lead to privilege escalation.
For further reading on security updates, Chipmaker Patch Tuesday reports from Intel and AMD, ICS Patch Tuesday advisories from Siemens, Schneider, and CISA, as well as Microsoft’s patch for 137 vulnerabilities, are available.
