Why These New Enterprise Software Patches Cannot Wait
Ivanti, Fortinet, SAP, VMware and workflow automation platform n8n have collectively patched 11 serious issues spanning critical RCE vulnerability risks, SQL injection, authentication bypass and privilege escalation flaws. Several bugs carry CVSS scores of 9.4–9.6, making them among the most severe classes of enterprise software vulnerabilities. At the same time, Microsoft Defender is facing active exploitation of two newly disclosed weaknesses, while CISA has added exploited Langflow and Trend Micro Apex One bugs to its Known Exploited Vulnerabilities catalog with tight remediation deadlines. Together, these developments highlight an urgent need for rapid patching and targeted hardening, especially in environments where shared infrastructure or security tools could become a single point of failure. Security leaders should treat these enterprise software patches as high-priority change events, integrating vendor advisories into patch pipelines and coordinating downtime windows to minimize business disruption.
Ivanti, Fortinet, SAP and VMware Fix Critical RCE and Privilege Escalation Flaws
Across major vendors, attackers have new but now patchable paths to remote code execution and elevated access. Ivanti’s Xtraction flaw (CVE-2026-8043, CVSS 9.6) allows remote authenticated attackers to read sensitive files and write arbitrary HTML, opening the door to information disclosure and client-side attacks. Fortinet shipped fixes for two 9.1-rated bugs: CVE-2026-44277 in FortiAuthenticator and CVE-2026-26083 in FortiSandbox products, both enabling unauthenticated execution of unauthorized code via crafted or HTTP requests. SAP addressed two 9.6-critical issues: CVE-2026-34260, an SQL injection vulnerability in S/4HANA that can expose sensitive data and crash applications, and CVE-2026-34263, a missing authentication check in SAP Commerce Cloud configuration that can lead to arbitrary server-side code execution. Broadcom also patched VMware Fusion’s CVE-2026-41702 (CVSS 7.8), a TOCTOU issue allowing local users to escalate privileges to root via a SETUID binary.
n8n Workflow Platform: Prototype Pollution Leading to Remote Code Execution
Automation platform n8n disclosed five critical vulnerabilities (each CVSS 9.4) that together create powerful RCE pathways on the host. CVE-2026-42231 affects the xml2js library used for XML request parsing in webhook handlers and enables prototype pollution via crafted XML, allowing authenticated workflow creators to achieve remote code execution. CVE-2026-42232 allows global prototype pollution via the XML Node, which can be chained with other nodes for RCE, while CVE-2026-44791 is a bypass of that fix, again leading to code execution on the n8n host. Additional issues, including CVE-2026-44789, similarly empower authenticated users with workflow permissions to escalate their impact drastically. n8n has released fixes in branches 1.123.x, 2.17.x, 2.18.x, 2.20.x and 2.22.x. Organizations relying on n8n for critical workflows should prioritize upgrades, restrict who can create or modify workflows and closely monitor automation nodes handling untrusted input.
Microsoft Defender Under Active Exploitation: Privilege Escalation and DoS
Microsoft reported active exploitation of two Microsoft Defender vulnerabilities now patched in recent platform updates. CVE-2026-41091 (CVSS 7.8) is a privilege escalation flaw caused by improper link resolution before file access, enabling authorized attackers to gain SYSTEM privileges via link-following abuse. CVE-2026-45498 (CVSS 4.0) is a denial-of-service issue impacting Defender, capable of degrading protection on affected endpoints. Both are fixed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not vulnerable, and in most cases updates deploy automatically through malware definition and engine updates. However, administrators should verify protection by manually checking for updates and confirming the Antimalware ClientVersion in Windows Security. CISA has added both flaws to the Known Exploited Vulnerabilities catalog, requiring federal agencies to apply these patches by June 3, underlining the urgency of remediation and verification.
CISA KEV Additions: Langflow and Trend Micro Apex One Exploited Bugs
CISA’s latest active exploitation alerts include two new entries: CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One. The Langflow issue (CVSS 9.4) is an origin validation error that enables arbitrary code execution and full system compromise. According to prior analysis, it results from overly permissive CORS, missing CSRF protections and a code-execution endpoint, exposing access tokens and API keys and risking cascading compromise across cloud and SaaS services. It has already been weaponized by the MuddyWater threat group for initial access. CVE-2026-34926 (CVSS 6.7) is a directory traversal flaw in on-premise Apex One that allows a pre-authenticated local attacker with pre-existing administrative credentials and server access to modify a key table and inject malicious code for deployment to agents. Federal agencies must patch by June 4 and enterprises should similarly prioritize updates, harden access controls and audit administrative activity.
