Executive Summary

In December 2025, Fortinet, Ivanti, and SAP released urgent security patches addressing critical vulnerabilities that could allow authentication bypass and remote code execution (RCE). These flaws are being actively discussed in the security community due to their high severity and exploitation potential. This report provides a detailed analysis, including technical details, exploitation evidence, IOCs, and references.

1. Fortinet Vulnerabilities

Vulnerabilities

• CVE-2025-59718 (CVSS 9.8)

• CVE-2025-59719 (CVSS 9.8)

Products Affected: - FortiOS - FortiWeb - FortiProxy - FortiSwitchManager

Vulnerability Details: Improper verification of cryptographic signatures (CWE-347) in the FortiCloud SSO login feature allows an unauthenticated attacker to bypass authentication by sending a crafted SAML message. - Default Status: FortiCloud SSO login is not enabled by default. It is enabled when a device is registered to FortiCare and the "Allow administrative login using FortiCloud SSO" toggle is not disabled.

Temporary Mitigation: - Disable FortiCloud SSO login: - GUI: System → Settings → Switch "Allow administrative login using FortiCloud SSO" to Off - CLI: config system global set admin-forticloud-sso-login disable end

Exploitation Evidence: - No public exploitation in the wild reported as of this writing, but the vulnerability is trivial to exploit if SSO is enabled.

References: - The Hacker News - Fortinet Advisory

2. Ivanti Endpoint Manager (EPM) Vulnerabilities

Vulnerabilities

• CVE-2025-10573 (CVSS 9.6) – Critical stored XSS in EPM core and remote consoles

• CVE-2025-13659 (High)

• CVE-2025-13661 (High)

• CVE-2025-13662 (High, improper cryptographic signature verification in patch management)

Product Affected: - Ivanti Endpoint Manager (EPM) prior to version 2024 SU4 SR1

Vulnerability Details: - CVE-2025-10573: Allows a remote, unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session by submitting a fake managed endpoint to the EPM server. When an admin views the poisoned dashboard, the attacker's JavaScript executes, potentially granting full session control. - CVE-2025-13662: Similar cryptographic signature verification flaw as Fortinet, allowing arbitrary code execution.

Exploitation Evidence: - No confirmed exploitation in the wild as of this report, but the attack is trivial and can be triggered by routine admin activity. - Security researchers (Rapid7, SOCRadar) highlight high exploitation potential, especially with social engineering.

Proof of Concept (PoC): - Rapid7 Researcher Ryan Emmons (discovered and reported the flaw)

References: - Ivanti Advisory - The Hacker News

3. SAP Critical Flaws

Vulnerabilities

• CVE-2025-42880 (CVSS 9.9) – Code injection in SAP Solution Manager

• CVE-2025-55754 (CVSS 9.6) – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

• CVE-2025-42928 (CVSS 9.1) – Deserialization vulnerability in SAP jConnect SDK for Sybase ASE

Products Affected: - SAP Solution Manager - SAP Commerce Cloud - SAP jConnect SDK for Sybase ASE

Vulnerability Details: - CVE-2025-42880: Remote-enabled function module allows authenticated attackers to inject arbitrary code. - CVE-2025-42928: Allows RCE via specially crafted input to the jConnect SDK component (requires elevated privileges).

Exploitation Evidence: - No public exploitation in the wild reported as of this writing. - Onapsis credited with discovery and reporting.

References: - The Hacker News - Onapsis Security Advisory

4. MITRE ATT&CK, TTPs, and APT Groups

• TTPs:

• T1190: Exploit Public-Facing Application

• T1556: Modify Authentication Process

• T1059: Command and Scripting Interpreter (for code execution via XSS or deserialization)

• Relevant APT Groups:

• No specific APT group attribution as of this report, but similar vulnerabilities have been exploited by APT29 (Cozy Bear), APT41, and ransomware groups in the past.

5. Indicators of Compromise (IOCs)

• Fortinet:

• Unusual SAML authentication attempts in logs

• Unexpected administrative logins via FortiCloud SSO

• Ivanti:

• Unrecognized managed endpoints/devices in EPM

• JavaScript payloads in dashboard data

• SAP:

• Unusual code execution or process spawning from Solution Manager or jConnect SDK components

6. Recommendations

• Patch immediately to the latest versions as provided by Fortinet, Ivanti, and SAP.

• Disable FortiCloud SSO login if not required, until patched.

• Monitor logs for suspicious authentication or device registration activity.

• Review user privileges and restrict access to administrative interfaces.

7. References & Further Reading

• The Hacker News: Fortinet, Ivanti, and SAP Issue Urgent Patches

• Fortinet Threat Signal Report

• Ivanti Security Advisory

• Onapsis SAP Security Advisories

• MITRE ATT&CK Framework

Prepared for Rescana Customers For further details or custom threat intelligence, contact your Rescana representative.