Three major vendors — Fortinet, Ivanti and SAP — simultaneously released security updates that together close seven critical vulnerabilities with CVSS scores from 9.0 to 10.0. The most dangerous of them, CVE-2026-10520 in Ivanti Sentry, received the maximum score of 10.0 and allows an unauthenticated attacker to achieve remote code execution with root privileges. All of the vulnerabilities enable arbitrary code execution or unauthorized access to data. No exploitation in real-world attacks has been recorded so far, but technical details of exploiting CVE-2026-10520 have been published, which significantly increases the risk. Organizations using the affected products should prioritize installing the updates.
Fortinet FortiSandbox: OS command injection without authentication
According to the Fortinet PSIRT advisory, the vulnerability CVE-2026-25089 (CVSS 9.1) belongs to the CWE-78 class — improper neutralization of special elements used in an OS command. An unauthenticated attacker can execute arbitrary OS commands via specially crafted HTTP requests sent to the FortiSandbox web interface.
Affected products and versions:
- FortiSandbox 5.0.0–5.0.5 → update to 5.0.6 or later
- FortiSandbox 4.4.0–4.4.8 → update to 4.4.9 or later
- FortiSandbox Cloud 5.0.4–5.0.5 → update to 5.0.6 or later
- FortiSandbox PaaS 5.0.4–5.0.5 → update to 5.0.6 or later
FortiSandbox is a key component of malware protection infrastructure, and compromise of this solution can give an attacker access to analyzed samples and to the organization’s internal network.
Ivanti Sentry: maximum severity and public exploit analysis
Ivanti has released fixes for two vulnerabilities in Ivanti Sentry (formerly MobileIron Sentry), both of which affect versions prior to R10.5.2, R10.6.2 and R10.7.1:
- CVE-2026-10520 (CVSS 10.0) — OS command injection that allows an unauthenticated attacker to gain remote code execution with root privileges.
- CVE-2026-10523 (CVSS 9.9) — authentication bypass that allows an unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.
According to researchers from watchTowr Labs, exploitation of CVE-2026-10520 is carried out by sending a specially crafted HTTP request to the /mics/api/v2/sentry/mics-config/handleMessage endpoint. The request is interpreted as a MICS configuration command and executed by the server-side handleExecute() component. Researcher Sonny McDonald noted that the Ivanti patch implements two layers of protection: redirecting unauthenticated requests to the login page and blocking access to the vulnerable endpoint — effectively adding authentication where there was none.
The combination of CVE-2026-10520 and CVE-2026-10523 is particularly dangerous: the authentication bypass can be used to establish persistence in the system after the initial compromise via command injection, creating a persistent backdoor with administrative privileges.
SAP: four critical vulnerabilities in key platforms
As part of its June security updates, SAP fixed four critical vulnerabilities:
- CVE-2026-44748 (CVSS 9.9) — XML signature wrapping in the SAML authentication mechanism in SAP NetWeaver AS ABAP and ABAP Platform. According to Onapsis, an authenticated attacker with standard privileges can obtain a valid signed message, modify the identity data in the XML document and send it to the verifier. Due to improper verification of the XML signature, the modified data is accepted, leading to unauthorized access to users’ confidential data.
- CVE-2026-27671 (CVSS 9.8) — memory corruption in Application Server ABAP. An unauthenticated attacker can send a specially crafted RFC request, exploiting improper validation of the RFC protocol by the SAP kernel.
- CVE-2026-22732 (CVSS 9.1) — Spring Security vulnerability in SAP Commerce Cloud and SAP Data Hub.
- CVE-2026-40128 (CVSS 9.0) — directory traversal in SAP NetWeaver Application Server Java (Web Container).
The CVE-2026-44748 vulnerability deserves special attention from organizations using SAML authentication with SAP: a successful attack allows an attacker to spoof user identity, which can lead to compromise of privileged accounts in the ERP system.
Risk assessment and recommendations
None of the listed vulnerabilities has been added to the CISA KEV catalog as of publication, and there are no confirmed cases of exploitation in real-world attacks. However, the publication of technical exploitation details for CVE-2026-10520 by watchTowr Labs significantly shortens the time until working exploits appear.
Update priorities:
- Highest priority — Ivanti Sentry: update to R10.5.2, R10.6.2 or R10.7.1 depending on the branch in use. The combination of a public exploit analysis and the maximum CVSS score of 10.0 makes this vulnerability the top priority.
- High priority — FortiSandbox: update to versions 5.0.6 or 4.4.9 respectively. The vulnerability does not require authentication and is exploited over HTTP.
- High priority — SAP NetWeaver and related products: install the relevant fixes from SAP’s June patch bundle. Pay particular attention to systems with SAML authentication (CVE-2026-44748) and publicly accessible RFC interfaces (CVE-2026-27671).
As a temporary measure for Ivanti Sentry, it is recommended to restrict network access to the /mics/api/v2/sentry/mics-config/handleMessage endpoint using a firewall or reverse proxy until the patch is installed.
The coincidence of release dates for critical updates from three vendors creates additional workload for security teams. Given the existence of a public exploit analysis for Ivanti Sentry and the absence of authentication as a barrier for most of the vulnerabilities described, patch installation should be completed within 48–72 hours, starting with Ivanti Sentry and FortiSandbox as the most likely targets for attackers.
