A Wave of Critical Software Vulnerabilities Across Core Enterprise Stack
Multiple major vendors have pushed emergency enterprise security updates to address critical software vulnerabilities spanning remote code execution (RCE), SQL injection, and privilege escalation flaws. Ivanti, Fortinet, SAP, VMware, and workflow automation platform n8n collectively disclosed and patched 11 issues, several rated 9.4–9.6 on the CVSS scale. These bugs impact widely deployed products, from identity and network security appliances to ERP platforms, virtualization software, and low-code automation tools, forming a cross‑section of modern enterprise infrastructure. In parallel, Microsoft confirmed active exploitation of two Microsoft Defender vulnerabilities, underscoring that attackers are rapidly weaponizing newly discovered weaknesses. Security teams now face a compressed patch cycle as multiple high‑severity and actively exploited vulnerabilities converge in the same time window. The coordinated patch releases signal heightened threat activity and a need for faster, risk‑based prioritization of RCE exploit patches and privilege escalation flaws in production environments.
Ivanti, Fortinet, SAP, and VMware Address RCE and Privilege Escalation Flaws
On the application and network side, vendors released targeted fixes for some of the most severe vulnerabilities. Ivanti patched CVE-2026-8043, a 9.6-rated flaw in Ivanti Xtraction that allows external control of file names, enabling authenticated attackers to read sensitive files and write arbitrary HTML to web directories for client-side attacks. Fortinet issued RCE exploit patches for two 9.1-rated bugs in FortiAuthenticator (CVE-2026-44277) and FortiSandbox products (CVE-2026-26083), both enabling unauthenticated code execution via crafted or HTTP requests. SAP shipped fixes for two 9.6-rated issues: an SQL injection in SAP S/4HANA (CVE-2026-34260) threatening data confidentiality and availability, and a missing authentication check in SAP Commerce Cloud (CVE-2026-34263) that can lead to arbitrary server-side code execution. Broadcom also patched a high-severity TOCTOU vulnerability in VMware Fusion (CVE-2026-41702), which allows a local non-admin user to escalate privileges to root through a SETUID binary.
n8n Prototype Pollution Bugs Enable Remote Code Execution
Automation platform n8n disclosed a cluster of critical vulnerabilities that demonstrate how complex application logic can open dangerous RCE paths. Multiple CVEs, including CVE-2026-42231, CVE-2026-42232, and CVE-2026-44791, center on prototype pollution in XML parsing and workflow nodes. Exploitation requires an authenticated user with permissions to create or modify workflows, but successful attacks can lead to remote code execution on the n8n host by abusing manipulated prototypes in combination with other nodes. One bug is explicitly described as a bypass of a previous fix, highlighting how attackers iterate on earlier research to regain execution paths. n8n has issued fixes across several version lines, and administrators should prioritize upgrading instances that expose webhook handlers or are integrated with sensitive downstream systems. Because these issues turn seemingly benign workflow logic into an RCE vector, they exemplify how low-code tools can conceal high‑impact privilege escalation flaws if not rigorously secured.
Microsoft Defender Privilege Escalation Bugs Already Under Active Attack
While many vendors are patching proactively, Microsoft confirmed that two vulnerabilities in Microsoft Defender are already being used in real-world attacks. CVE-2026-41091, rated 7.8, is a privilege escalation flaw caused by improper link resolution before file access, allowing an authorized attacker to elevate privileges locally to SYSTEM. CVE-2026-45498, scored 4.0, is a denial-of-service issue that can disrupt Defender’s operation. Both have been fixed in updated Microsoft Defender Antimalware Platform builds, which are delivered automatically with malware definition and engine updates on supported systems. Environments that have disabled Defender are not exposed, but they must rely on other controls for equivalent protection. The vulnerabilities have been added to an official Known Exploited Vulnerabilities catalog with a near-term patch deadline for government agencies, emphasizing that these are actively exploited vulnerabilities and should be prioritized alongside RCE exploit patches affecting networked services.
Langflow and Trend Micro Apex One Exploits Deepen the Risk Landscape
Beyond the latest vendor advisories, authorities have also highlighted additional actively exploited vulnerabilities in adjacent parts of the enterprise stack. An origin validation error in Langflow (CVE-2025-34291, CVSS 9.4) allows arbitrary code execution and full system compromise, driven by a combination of overly permissive CORS settings, missing CSRF protection, and a code-executing endpoint. Successful attacks can expose all access tokens and API keys stored in Langflow, creating a cascading compromise across integrated cloud and SaaS services. Meanwhile, a directory traversal flaw in Trend Micro Apex One (CVE-2026-34926, CVSS 6.7) can be abused by an attacker who already has administrative access to the server to modify key tables and inject malicious code for deployment to agents. Both have been added to the Known Exploited Vulnerabilities catalog, reinforcing that defenders must treat these enterprise security updates as urgent, coordinated responses to an elevated threat environment.
