Both Fortinet and Ivanti have released urgent updates addressing critical OS command injection vulnerabilities that can be exploited remotely, without authentication, to execute arbitrary code on affected systems.
The flaws are about as bad as it gets from an attacker’s perspective: no credentials needed, no user interaction required, and the payoff is full remote code execution. That combination is a recipe for rapid exploitation, and security teams should treat these patches as drop-everything priorities.
Command injection bugs have been a recurring theme in network infrastructure products for years. The fact that two major vendors are dealing with them simultaneously is a reminder that input validation remains one of the most fundamental — and most frequently overlooked — aspects of secure software development.
If you are running Fortinet or Ivanti products in your environment, check the vendor advisories for your specific product versions and patch immediately. Do not wait for your next maintenance window on these ones.
Source: SecurityWeek
