We’re joined today by Rupert Marais, our in-house security specialist, to dissect a recent wave of critical vulnerabilities that have put major enterprise vendors on high alert. Fortinet, Ivanti, and SAP—names central to the IT infrastructure of countless organizations—have all rushed to patch severe flaws. These issues range from authentication bypasses that effectively leave the front door unlocked to code execution bugs that hand attackers the keys to the kingdom. We’ll explore the sophisticated attack chains, the recurring patterns of error in cryptographic checks, and what these incidents tell us about the shifting threat landscape.
The Fortinet flaw, CVE-2025-59718, carries a staggering 9.8 CVSS score for its ability to bypass Single Sign-On with a specially crafted SAML message. Since this SSO feature isn’t enabled by default, could you walk us through how an attacker would exploit this and explain why it remains such a critical risk?
Absolutely. The high CVSS score is completely justified, even with the feature being off by default. The attack chain begins with an unauthenticated attacker targeting the FortiCloud SSO login mechanism. They don’t need a password; they just need to find a device where an administrator has enabled this feature, which is a common step for convenience after registering the device with FortiCare. The attacker then crafts a malicious SAML message—think of it as a forged digital passport—and sends it to the device. The core of the vulnerability, an “Improper Verification of Cryptographic Signature,” means the device fails to properly validate that this digital passport is legitimate. It essentially accepts the forged credentials, granting the attacker full administrative access. The risk is critical because once an admin enables that “Allow administrative login using FortiCloud SSO” toggle, they create a silent but massive attack surface that bypasses all standard authentication.
Shifting to Ivanti’s Endpoint Manager, we saw CVE-2025-10573, where an attacker can poison an administrator’s dashboard by enrolling a fake device. Can you detail the steps an attacker takes and clarify why this stored cross-site scripting flaw is considered trivial to exploit, despite needing an admin to interact with the interface?
The Ivanti EPM flaw is a classic example of how a simple action can lead to a complete takeover. The process is deceptively straightforward. An unauthenticated attacker, from anywhere on the network, sends a fake device report to the main EPM web service. The report itself can be created using a basic file format, making it incredibly easy to craft. This report contains malicious JavaScript, and because the server doesn’t properly sanitize this input, it stores the malicious code. The “poison” is now in the system. Later, when an IT administrator does their routine job—logging in and viewing the device dashboard—their browser executes that hidden JavaScript. This is what’s meant by “passive user interaction.” The admin isn’t clicking a suspicious link; they’re just doing their job. That single act triggers the exploit, which can immediately hijack their session, giving the attacker the same level of control as the administrator. It’s considered trivial because the initial injection requires no credentials and minimal technical skill, and the trigger is an inevitable, everyday action.
The article also highlights a code injection flaw in SAP Solution Manager, CVE-2025-42880, with a near-perfect 9.9 CVSS score. What specific role does Solution Manager play in an enterprise environment that makes this vulnerability so profoundly dangerous, and what kind of damage could an attacker inflict after gaining code execution on such a central system?
SAP Solution Manager is essentially the central nervous system for a company’s entire SAP landscape. It’s not just another application; it’s the administrative console used to monitor, manage, and configure all other SAP systems—from finance and HR to supply chain logistics. Gaining arbitrary code execution on that system is the ultimate jackpot for an attacker. As the security researcher Thomas Fritsch warned, its central role demands a timely patch for a reason. Once an attacker can run their own code on the Solution Manager, they can do catastrophic damage. They could manipulate financial records, steal sensitive employee or customer data, disrupt critical business operations by shutting down production systems, or even deploy ransomware across the entire network of connected SAP instances. It’s the digital equivalent of a hostile actor gaining control of a building’s master security and utility console; from that one point, they can control everything.
A common thread between the Fortinet and one of the Ivanti flaws was “Improper Verification of Cryptographic Signature.” From a technical perspective, what is this error exactly, and based on your experience, why do you think we are seeing this fundamental mistake appear in different, unrelated enterprise products?
At its core, “Improper Verification of Cryptographic Signature” is a failure of digital trust. Imagine you’re presented with a document signed by a CEO. This vulnerability is the equivalent of checking that there is a signature, but not bothering to check if it’s the actual CEO’s signature or just a scribble. In the technical context, a system receives a piece of data, like a SAML authentication request or a software patch, that has a digital signature attached to prove its origin and integrity. The flaw means the software either doesn’t check the signature at all, or it checks it against the wrong set of trusted authorities, or it uses a flawed algorithm. The fact that we’re seeing this in separate, complex products like FortiOS and Ivanti EPM points to a systemic issue. Often, developers are using very powerful but complicated cryptographic libraries. Under pressure to deliver features, they might implement them incorrectly, or they might make assumptions about the data they’re receiving. It’s a fundamental, low-level mistake that suggests security isn’t being baked in from the start, and it’s a chilling reminder that even the most trusted enterprise solutions can have a surprisingly fragile foundation.
What is your forecast for the evolution of these enterprise-level vulnerabilities?
I predict we will see a continued and intensified focus by threat actors on these central management platforms. Compromising a single endpoint is good, but compromising a system like SAP Solution Manager, Ivanti Endpoint Manager, or a Fortinet management console is a force multiplier. It gives attackers the “keys to the kingdom,” allowing them to move laterally and deploy malware or exfiltrate data across an entire organization from a single point of entry. Furthermore, I believe the line between a direct attack and a supply chain attack will continue to blur. As we saw with the potential for JavaScript injection in the Ivanti flaw, these management tools can be turned into distribution platforms for malware, making every connected device a potential victim. Organizations must therefore move beyond just perimeter defense and assume that these central administrative tools are prime targets, requiring heightened monitoring, privilege segmentation, and rapid, disciplined patching.
