Wave of Critical RCE Vulnerabilities Hits Core Enterprise Platforms
A new wave of critical RCE vulnerabilities is rippling across core enterprise infrastructure, forcing organizations to fast‑track software patching. Ivanti, Fortinet, SAP, VMware and workflow automation platform n8n have all released emergency updates for 11 serious flaws, several rated 9.6 on the CVSS scale. These issues span remote code execution, SQL injection, authentication bypass and privilege escalation flaws, creating multiple paths for attackers to gain control of systems handling sensitive data and identity services. The affected products sit deep in enterprise stacks: identity appliances, security sandboxes, ERP platforms, desktop virtualization tools and low‑code automation engines. Together they form a broad attack surface that adversaries can chain with other weaknesses or zero-day exploits. Because these platforms often underpin critical business processes, delayed patching significantly increases operational and security risk, especially in environments with limited segmentation or shared credentials.
Ivanti, Fortinet, SAP and VMware: Priority Patches to Schedule Now
Several vendor updates deserve immediate prioritization in patch queues. Ivanti’s Xtraction analytics tool suffers from a 9.6‑rated flaw (CVE-2026-8043) allowing remote, authenticated attackers to read sensitive files and plant arbitrary HTML, enabling information disclosure and client‑side attacks. Fortinet has patched two 9.1‑rated critical RCE vulnerabilities in FortiAuthenticator and FortiSandbox deployments, both exploitable without authentication via crafted or HTTP requests. SAP administrators must urgently address two 9.6‑rated issues: an SQL injection bug in SAP S/4HANA (CVE-2026-34260) and a missing authentication check in SAP Commerce Cloud (CVE-2026-34263) that can lead to arbitrary server‑side code execution. Meanwhile, Broadcom fixed a high‑severity TOCTOU issue in VMware Fusion (CVE-2026-41702), which allows a local, non‑administrative user to escalate privileges to root. For enterprises, these updates represent essential enterprise software patches that should be tested and deployed without delay.
n8n Prototype Pollution Bugs Enable Automation-Platform RCE
Automation and workflow orchestration environments are also under pressure. The n8n platform has patched five critical vulnerabilities (all rated 9.4) that allow authenticated users with workflow creation rights to achieve remote code execution on the n8n host. Several issues stem from prototype pollution in XML parsing and HTTP request handling, including CVE-2026-42231 and CVE-2026-42232, plus a bypass (CVE-2026-44791) that restores the attack path. Additional flaws allow malicious injection through pagination parameters and Git node flags, enabling arbitrary file reads and full system compromise. Because n8n often connects to numerous SaaS, data and security tools, a successful exploit can cascade across integrated systems. Security teams should upgrade to the fixed branches specified by n8n, audit workflows and credentials, and restrict who can create or modify workflows. Treating low‑code automation as high‑privilege infrastructure is crucial, especially given how easily such platforms can become conduits for critical RCE vulnerabilities.
CISA KEV Updates and the Federal Patch Deadline
Beyond vendor advisories, the CISA KEV catalog continues to highlight vulnerabilities under active attack. CISA has added an origin validation error in Langflow (CVE-2025-34291, CVSS 9.4) and a directory traversal flaw in Trend Micro Apex One (CVE-2026-34926, CVSS 6.7), both already exploited in the wild. The Langflow bug combines permissive CORS, missing CSRF protections and a code‑execution endpoint to deliver arbitrary code execution and exposure of stored tokens and API keys, enabling cascading compromise of downstream cloud and SaaS services. Trend Micro reports real‑world attempts to abuse the Apex One on‑premise issue to modify key tables and distribute malicious code to agents, assuming attackers have already obtained administrative access. In response, federal agencies have been given a June 4, 2026 deadline to patch these exploited vulnerabilities. Enterprises should mirror this urgency by treating KEV‑listed flaws as mandatory, time‑bound remediation tasks, with clear ownership and tracking.
What Enterprises Must Do Now to Contain Widespread Exposure
With critical RCE vulnerabilities spanning identity, ERP, virtualization, security and automation tools, enterprises face widespread exposure that attackers can exploit quickly. Immediate actions should include updating Ivanti Xtraction, FortiAuthenticator, FortiSandbox, SAP S/4HANA, SAP Commerce Cloud, VMware Fusion and n8n to the latest patched versions, while also reviewing vendor guidance for any compensating controls. Environments using Langflow or Trend Micro Apex One must prioritize fixes, especially where these systems bridge to sensitive networks or cloud estates. Security teams should tighten access to administration interfaces, enforce least privilege, and monitor for unusual authentication, configuration or workflow changes that might signal exploitation or privilege escalation flaws. Because many of these weaknesses can be chained with other zero-day exploits, organizations should enhance logging and detection around these platforms. Finally, adopt a continuous vulnerability management process anchored to the CISA KEV catalog, ensuring exploited issues are rapidly identified, risk‑rated and remediated before they can be weaponized at scale.