Fortinet and Ivanti Patch Critical Vulnerabilities in 18 Flaws Across Product Lines
Fortinet and Ivanti released patches for 18 vulnerabilities, including three critical-severity bugs, with no evidence of in-the-wild exploitation reported.
Fortinet and Ivanti on Tuesday announced patches for 18 vulnerabilities across their product portfolios, including three critical-severity bugs that could allow unauthenticated remote code execution or file manipulation.
Fortinet published 11 advisories covering as many flaws, two of which are critical. The first, tracked as CVE-2026-44277 (CVSS 9.1), is an improper access control issue in FortiAuthenticator that can be exploited remotely without authentication via crafted requests. Fortinet noted that FortiAuthenticator Cloud is not affected. The second critical bug, CVE-2026-26083 (CVSS 9.1), is a missing authorization weakness in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that allows unauthenticated attackers to send crafted HTTP requests to achieve code or command execution.
Additionally, Fortinet resolved a high-severity out-of-bounds write vulnerability (CVE-2025-53844) in the FortiOS capwap daemon that could allow code execution on FortiGate devices, though the attacker must control an authenticated FortiAP, FortiExtender, or FortiSwitch. The company also fixed seven medium-severity flaws affecting FortiDeceptor, FortiAP, FortiAP-U, FortiAP-W2, FortiAnalyzer, FortiManager, FortiTokenAndroid, FortiMail, and FortiNDR.
Ivanti published four advisories detailing seven security defects. The most severe is CVE-2026-8043 (CVSS 9.6), an external control of a file name issue in Xtraction that could be exploited remotely to read sensitive files and write arbitrary HTML files to a web directory. Ivanti also resolved four high-severity vulnerabilities, including SQL injection and incorrect permissions assignment flaws in Endpoint Manager (EPM), an OS command injection in Virtual Traffic Manager, and a race condition in Secure Access Client. Successful exploitation could lead to privilege escalation and remote code execution.
Both Fortinet and Ivanti stated they are not aware of any of the patched vulnerabilities being exploited in the wild. The coordinated patch releases come amid a busy Patch Tuesday that also saw Zoom address three security defects, including two high-severity privilege escalation issues in Rooms for Windows and Workplace VDI Plugin for Windows.
The patches highlight the ongoing challenge of securing complex enterprise product ecosystems, where critical flaws in authentication and sandboxing components can expose organizations to remote compromise. Administrators are urged to apply the updates promptly to mitigate risk.