Ivanti, Fortinet, Splunk Release Security Updates – Source: www.securityweek.com

Ivanti, Fortinet, and Splunk on Tuesday announced patches for dozens of vulnerabilities across their product portfolios, including critical- and high-severity flaws.

Security updates released for Ivanti Connect Secure (ICS) and Policy Secure (IPS), Endpoint Manager Mobile (EPMM), and Endpoint Manager (EPM) resolve a total of 11 bugs that require authentication to be exploited.

The EPM update resolves three high-severity defects that could allow attackers to decrypt other users’ passwords or read arbitrary data from the database, while the EPMM refresh fixes two high-severity OS command injection flaws leading to remote code execution.

Ivanti fixed six medium-severity issues in ICS and IPS, warning they could be exploited to modify restricted settings, cause a denial-of-service (DoS) condition, extract sensitive information from log files, write to a protected configuration file on disk, and access internal network services.

“We have no evidence of any of these vulnerabilities being exploited in the wild,” Ivanti notes in its advisory.

On Tuesday, Fortinet published eight advisories detailing one critical-, one high-, five medium-, and one low-severity vulnerability impacting FortiAnalyzer, FortiIsolator, FortiManager, FortiOS, FortiProxy, FortiSandbox, FortiSASE, FortiVoice, and FortiWeb.

Tracked as CVE-2025-25257 (CVSS score of 9.6), the critical bug is an SQL injection flaw in FortiWeb that could be exploited via crafted HTTP or HTTPS requests to execute unauthorized SQL code or commands. No authentication is required for successful exploitation.

Crafted HTTP/HTTPS or CLI requests could also be used to exploit two high-severity OS command injection defects in FortiVoice. Tracked as CVE-2025-47856 (CVSS score of 7.2), these issues could allow a privileged attacker to run arbitrary code or commands.

Fortinet makes no mention of any of the newly addressed vulnerabilities being exploited in the wild. Additional information can be found on the company’s PSIRT advisories page.

The most important of the 12 advisories that Splunk published this week resolve critical- and high-severity flaws in third-party dependencies in Splunk SOAR, Enterprise, and DB Connect. Most of these are bugs disclosed last year, with several 2022 and 2023 CVEs also resolved. One issue was disclosed in 2013.

Additionally, the company announced fixes for seven medium- and one low-severity issue in Splunk Enterprise that could be exploited to execute commands remotely, cause a DoS condition, change SHC membership state, disable the scheduled search within the Archiver application, create or overwrite system source type configurations, suppress a specific alert, and expose the search head cluster splunk.secret key.

Related: Microsoft Patches 130 Vulnerabilities for July 2025 Patch Tuesday

Related: Adobe Patches Critical Code Execution Bugs

Related: SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover

Related: Grafana Patches Chromium Bugs, Including Zero-Day Exploited in the Wild