Fortinet and Ivanti on Tuesday introduced patches for 18 vulnerabilities throughout their product portfolios, together with three critical-severity bugs.
Fortinet revealed 11 advisories describing as many bugs, together with two coping with critical-severity code execution security defects.
Tracked as CVE-2026-44277 (CVSS rating of 9.1), the primary of them is an improper entry management difficulty in FortiAuthenticator that might be exploited remotely, with out authentication, by way of crafted requests.
“FortiAuthenticator Cloud isn’t impacted by the difficulty, and therefore prospects don’t have to carry out any motion,” the corporate says.
The second, tracked as CVE-2026-26083 (CVSS rating of 9.1), is a lacking authorization weak spot affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.
In accordance with Fortinet, distant, unauthenticated attackers might ship crafted HTTP requests to the weak home equipment to attain code or command execution.
On Tuesday, Fortinet additionally resolved a high-severity out-of-bounds write vulnerability (CVE-2025-53844) within the FortiOS capwap daemon that might enable attackers to execute code on FortiGate gadgets. The attacker wants to regulate an authenticated FortiAP FortiExtender or FortiSwitch, the corporate says.
Fortinet additionally rolled out fixes for seven medium-severity flaws affecting FortiDeceptor WEB UI, FortiAP, FortiAP-U, FortiAP-W2 CLI, FortiAnalyzer, FortiManager, FortiTokenAndroid, FortiMail, and FortiNDR.
Ivanti revealed 4 advisories on Tuesday, detailing seven security defects impacting Ivanti Safe Entry Shopper, Xtraction, Digital Visitors Supervisor, and Endpoint Supervisor (EPM).
Essentially the most extreme of those is CVE-2026-8043 (CVSS rating of 9.6), described as an exterior management of a file identify difficulty in Xtraction that might be exploited remotely to learn delicate recordsdata and write arbitrary HTML recordsdata to an online listing.
The corporate additionally resolved 4 high-severity vulnerabilities, together with SQL injection and incorrect permissions task flaws in EPM, an OS command injection in Digital Visitors Supervisor, and a race situation in Safe Entry Shopper.
Profitable exploitation of those bugs might result in privilege escalation and distant code execution, the corporate says.
Each Fortinet and Ivanti mentioned they weren’t conscious of any of the patched vulnerabilities being exploited within the wild.
On Tuesday, Zoom rolled out patches for 3 security defects, together with two high-severity points in Rooms for Home windows and Office VDI Plugin for Home windows that might result in privilege escalation.
