Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities – Source: www.securityweek.com

Ivanti and Fortinet on Tuesday announced patches for vulnerabilities found recently in their product portfolios, including critical- and high-severity flaws that could lead to remote code execution.

Ivanti rolled out fixes for 11 security defects across Connect Secure (ICS), Policy Secure (IPS), Secure Access Client (ISAC), Neurons for MDM (N-MDM), and Cloud Services Application (CSA).

Of the eight bugs resolved in ICS, IPS, and ISAC, three are critical-severity flaws that could allow remote attackers to write arbitrary files and execute arbitrary code.

The issues are tracked as CVE-2024-38657, CVE-2025-22467, CVE-2024-10644, and require authentication to be exploited.

Ivanti resolved the vulnerabilities with the release of ICS version 22.7R2.6, IPS version22.7R1.3, and ISAC version 22.8R1. The updates also address one high- and four medium-severity bugs.

On Tuesday, Ivanti released N-MDM R110 to resolve a medium-severity flaw, and announced that CSA version 5.0.5 patches a critical-risk OS injection and a medium-risk path traversal, tracked as CVE-2024-47908 (CVSS score of 9.1) and CVE-2024-11771 (CVSS score of 5.3).

“Successful exploitation of CVE-2024-47908 could allow a remote authenticated attacker to achieve remote code execution and CVE-2024-11771 could allow a remote unauthenticated attacker to access restricted functionality,” the company said.

Ivanti says it is not aware of any of these vulnerabilities being exploited in the wild, but customers are advised to update their appliances as soon as possible.

On Tuesday, Fortinet published 14 security advisories describing flaws in FortiOS, FortiPortal, FortiAnalyzer, FortiManager, and several other products.

The most severe of these issues include CVE-2025-24470 (CVSS score of 8.1), a FortiPortal bug that enables a remote unauthenticated attacker to retrieve source code, and CVE-2024-40591 (CVSS score of 8.0), an incorrect privilege assignment flaw in the FortiOS security fabric that could allow an attacker logged in as admin to escalate their privileges to super-admin.

Fortinet also resolved a high-severity stack-based buffer overflow defect in FortiOS CAPWAP control that could lead to arbitrary code execution, and which is tracked as CVE-2024-35279.

The company also updated the January advisory for an exploited zero-day in FortiOS and FortiProxy to add a second CVE to the list, namely CVE-2025-24472 (CVSS score of 8.1).

The initial vulnerability, tracked as CVE-2024-55591, allowed an attacker to elevate their privileges to super-admin by sending crafted requests to the Node.js websocket module. The new CVE covers an additional attack vector that relies on crafted CSF proxy requests.

Fortinet’s remaining advisories detail medium- and low-severity vulnerabilities that could lead to code execution, information leaks, authentication bypass, privilege escalation, retrieval of private keys and encrypted passwords, cross-site scripting (XSS) attacks, file deletion, and secret decryption.

The company makes no mention of any of these issues being exploited in the wild. Additional information can be found on Fortinet’s PSIRT advisories page.

Related: SAP Releases 21 Security Patches

Related: Intel Patched 374 Vulnerabilities in 2024

Related: Cisco Patches Critical Vulnerabilities in Enterprise Security Product

Related: ICS Patch Tuesday: Vulnerabilities Addressed by Schneider Electric, Siemens