Critical Fortinet, Ivanti Flaws Let Hackers Execute Code Remotely

Two critical OS command injection flaws have been disclosed in Fortinet and Ivanti products, enabling remote attackers to inject arbitrary commands without authentication. The vulnerabilities, patched in recent updates, allow for code execution on affected systems, posing a severe threat to enterprise networks.

The flaws carry high severity scores, though exact CVSS numbers were not provided in sources. At least one vendor has confirmed active exploitation attempts, though specific metrics on the number of affected systems remain undisclosed. Security researchers warn that the vulnerabilities could be chained with initial access vectors for deeper compromise.

The attack vectors exploit improper neutralization of special elements in system command inputs. Attackers send crafted requests to vulnerable endpoints, achieving full system compromise without prior authentication. No specific indicators of compromise were detailed in available reports.

Both Fortinet and Ivanti have released patches addressing the vulnerabilities. Fortinet recommends updating firmware to the latest versions, while Ivanti advises applying its security updates immediately. No workarounds were provided, underscoring the urgency of patching.

Attribution remains unclear, though public disclosures were coordinated through responsible disclosure programs. These flaws highlight persistent risks in widely deployed enterprise software, where unauthenticated remote code execution vulnerabilities continue to emerge.