Executive Summary
The cybersecurity landscape has been significantly impacted by a series of critical vulnerabilities disclosed and patched between late 2025 and early 2026, affecting Ivanti, Fortinet, SAP, VMware, and n8n. These vulnerabilities encompass Remote Code Execution (RCE), SQL Injection, and Privilege Escalation flaws, several of which have been actively exploited in the wild. The vulnerabilities present substantial risks to enterprise environments, enabling attackers to gain unauthorized access, escalate privileges, exfiltrate sensitive data, and potentially disrupt business operations. This advisory provides a comprehensive technical analysis of the vulnerabilities, exploitation status, threat actor tactics, affected product versions, and actionable mitigation strategies to safeguard your organization.
Technical Information
The vulnerabilities span multiple enterprise platforms and technologies, each with unique exploitation vectors and potential business impact.
Ivanti Endpoint Manager (EPM) Vulnerabilities
Ivanti Endpoint Manager (EPM) 2024 and earlier releases are affected by thirteen distinct vulnerabilities. Two are classified as high-severity: an insecure deserialization flaw (CVE-2025-11622) and a path traversal vulnerability (CVE-2025-9713), both of which can lead to privilege escalation or RCE. The insecure deserialization flaw allows a local authenticated attacker to escalate privileges on the EPM Core server by manipulating serialized objects, potentially gaining SYSTEM-level access. The path traversal vulnerability enables remote unauthenticated attackers to achieve RCE by importing malicious files or configurations, though user interaction is required to trigger the exploit.
Additionally, eleven medium-severity SQL Injection vulnerabilities (CVE-2025-1162, CVE-2025-62383 through CVE-2025-62392) allow remote authenticated attackers to access and read arbitrary data from the EPM database. These SQL Injection flaws stem from insufficient input validation in database queries, exposing sensitive configuration and user data to attackers with valid credentials.
Fortinet FortiClient EMS SQL Injection/RCE (CVE-2026-21643)
Fortinet FortiClient EMS version 7.4.4 (with multi-tenant mode enabled) is impacted by a critical SQL Injection vulnerability (CVE-2026-21643, CVSS 9.8). This flaw arises from improper handling of the Site HTTP header, which is directly interpolated into a PostgreSQL query without sanitization. Attackers can exploit this via pre-authentication endpoints such as /api/v1/init_consts, sending specially crafted HTTP requests to execute arbitrary SQL commands. Successful exploitation enables unauthenticated attackers to achieve RCE, extract or modify sensitive data, and create or escalate administrative accounts. The vulnerability is patched in version 7.4.5 and above.
SAP, VMware, and n8n Vulnerabilities
A coordinated patch wave addressed critical RCE, SQL Injection, and Privilege Escalation flaws across SAP, VMware, and n8n. For SAP, the number of vulnerabilities increased by 39% year-over-year, with a 210% surge in active exploitation. While specific CVEs are not detailed in public advisories, mass exploitation and underground exploit sales have been reported, indicating a heightened threat environment. VMware and n8n also released patches for critical RCE and privilege escalation vulnerabilities, though technical specifics and affected versions are not fully disclosed in public sources. Organizations are urged to consult the latest vendor advisories and apply all relevant security updates.
Exploitation in the Wild
Exploitation activity varies across the affected products:
For Ivanti Endpoint Manager, as of October 2025, there is no public proof-of-concept (PoC) or evidence of active exploitation in the wild. However, the criticality of the vulnerabilities and the history of rapid exploitation of similar flaws in enterprise management platforms warrant urgent patching and heightened monitoring.
Fortinet FortiClient EMS (CVE-2026-21643) has been actively exploited since at least April 2026. Attackers leverage the SQL Injection flaw to gain initial access, escalate privileges, and execute arbitrary code on vulnerable systems. Security vendors have observed exploitation attempts and released detection signatures to assist defenders.
For SAP, reports indicate active exploitation and a thriving underground market for related exploits. The lack of detailed public technical information suggests that attackers may be leveraging zero-day or recently patched vulnerabilities before organizations can apply mitigations. No public exploitation evidence is available for the latest VMware and n8n vulnerabilities, but the release of critical patches implies a significant risk.
APT Groups using this vulnerability
While no specific Advanced Persistent Threat (APT) groups have been publicly attributed to these vulnerabilities in scraped sources, the tactics, techniques, and procedures (TTPs) align with those commonly employed by ransomware operators and financially motivated cybercrime groups. The MITRE ATT&CK framework identifies several relevant TTPs:
T1190 (Exploit Public-Facing Application) describes the initial access vector for RCE and SQL Injection flaws. T1059 (Command and Scripting Interpreter) is used for post-exploitation command execution. T1078 (Valid Accounts) covers privilege escalation via compromised credentials, and T1505 (Server Software Component) relates to SQL Injection leading to RCE. These techniques are frequently observed in campaigns targeting enterprise infrastructure, including those orchestrated by APTs and ransomware-as-a-service affiliates.
Affected Product Versions
The following product versions are confirmed or strongly suspected to be affected based on public advisories and vendor disclosures:
Ivanti Endpoint Manager: All versions up to and including 2024 SU3 SR1 are vulnerable to insecure deserialization, path traversal, and SQL Injection flaws. The RCE and privilege escalation issues are resolved in 2024 SU4, while SQL Injection flaws are scheduled for remediation in 2024 SU5 (expected Q1 2026).
Fortinet FortiClient EMS: Version 7.4.4 (with multi-tenant mode enabled) is vulnerable to CVE-2026-21643. The issue is resolved in version 7.4.5 and later.
SAP: Specific affected versions are not detailed in public advisories. Organizations should refer to the latest SAP Security Patch Day advisories and apply all relevant updates.
VMware: Affected versions are not specified in public sources. Refer to the latest VMware Security Advisories for guidance.
n8n: Affected versions are not specified in public sources. Consult the latest n8n release notes for patch information.
Workaround and Mitigation
Immediate action is required to mitigate the risk posed by these vulnerabilities:
For Ivanti Endpoint Manager, upgrade to version 2024 SU4 to address RCE and privilege escalation flaws, and to 2024 SU5 (when available) for SQL Injection remediation. Restrict access to the EPM Core server to local administrators only, and consider removing the reporting database user if reporting functionality is not essential, as this account is a common target for exploitation.
For Fortinet FortiClient EMS, upgrade to version 7.4.5 or later without delay. Monitor network traffic for suspicious HTTP requests targeting /api/v1/init_consts with anomalous Site headers, and review system logs for unexpected database modifications or the creation of new administrative accounts. Leverage detection signatures provided by security vendors such as Check Point, Cisco, F5, Fortinet, Imperva, Snort, and Trend Micro.
For SAP, VMware, and n8n, apply all available security patches as soon as possible. Monitor vendor advisories for updates on new vulnerabilities and exploit activity. Implement robust access controls, network segmentation, and continuous monitoring to detect and respond to suspicious activity.
Across all platforms, organizations should enhance their detection and response capabilities, conduct regular vulnerability assessments, and ensure that incident response plans are up to date and tested.
References
For further technical details and official advisories, consult the following resources:
Intrucept Labs Ivanti Advisory, Ivanti Security Advisory, SecurityOnline.info, Picus Security Fortinet CVE-2026-21643, Fortinet PSIRT FG-IR-25-1142, Cypro.se Patch Summary, CISA Known Exploited Vulnerabilities Catalog, TheHackerNews Facebook, ExpertInTheCloud Patch Wave.
Rescana is here for you
At Rescana, we understand the complexity and urgency of managing third-party and supply chain cyber risk. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate vulnerabilities across their digital ecosystem, providing actionable intelligence and automated workflows to reduce exposure and accelerate remediation. We are committed to supporting your security team with timely threat intelligence, expert guidance, and best-in-class technology. For any questions or to discuss how Rescana can help strengthen your cyber resilience, please contact us at ops@rescana.com.
