Fortinet has moved to address 14 security vulnerabilities across several products as part of this month's Patch Tuesday, according to SecurityWeek.
Most severe of the fixed security issues is the high-severity OS command injection flaw in FortiADC, tracked as CVE-2025-31104, which could be exploited to allow arbitrary code execution via crafted HTTP requests, noted Fortinet. All of the other patched defects, which impact FortiOS, FortiClient for Windows, FortiClientEMS, FortiSRA, FortiPAM, FortiProxy, FortiWeb, FortiSASE, and FortiPortal, were of the medium severity variety. Aside from enabling server-side request forgery intrusions, unauthorized session injections, and unauthorized resource access, such bugs could also be leveraged to facilitate VPN connection redirections, SSL-VPN portal and settings access, device information compromise, privilege escalation, and downstream device impersonation, Fortinet added. Such a development comes as Ivanti released patches for a trio of high-severity flaws in its Workspace Control product, tracked as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, which could be abused for SQL credential decryption.
Most severe of the fixed security issues is the high-severity OS command injection flaw in FortiADC, tracked as CVE-2025-31104, which could be exploited to allow arbitrary code execution via crafted HTTP requests, noted Fortinet. All of the other patched defects, which impact FortiOS, FortiClient for Windows, FortiClientEMS, FortiSRA, FortiPAM, FortiProxy, FortiWeb, FortiSASE, and FortiPortal, were of the medium severity variety. Aside from enabling server-side request forgery intrusions, unauthorized session injections, and unauthorized resource access, such bugs could also be leveraged to facilitate VPN connection redirections, SSL-VPN portal and settings access, device information compromise, privilege escalation, and downstream device impersonation, Fortinet added. Such a development comes as Ivanti released patches for a trio of high-severity flaws in its Workspace Control product, tracked as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, which could be abused for SQL credential decryption.
