What This Wave of Critical Software Patches Means for Enterprises
Critical software patches are vendor‑supplied updates that fix severe vulnerabilities which can enable remote code execution, authentication bypass, or other high‑impact attacks against enterprise systems. In the latest cycle, Fortinet, Ivanti, SAP, and Cisco ecosystems all received fixes for flaws ranging up to a CVSS 10.0 vulnerability, while several issues in Cisco, Chrome, and Arista products were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. These bugs span security appliances, identity and kernel components in ERP platforms, and SD‑WAN and data‑center networking gear. For IT and security teams, this creates immediate pressure on enterprise patch management: the risk is no longer hypothetical, and attackers have working paths to remote code execution and administrative takeover. A coordinated, asset‑aware response is now a priority rather than an optimization task.
Ivanti and Fortinet: CVSS 10.0 Vulnerability and Sandbox RCE Risk
Ivanti Sentry and Fortinet FortiSandbox sit directly in many organizations’ security perimeters, making their new critical software patches especially urgent. Ivanti fixed two severe flaws in Sentry: CVE-2026-10520, a CVSS 10.0 vulnerability that allows remote, unauthenticated command injection leading to root‑level remote code execution, and CVE-2026-10523, a CVSS 9.9 authentication bypass that lets attackers create arbitrary administrative accounts and gain full admin access before versions R10.5.2, R10.6.2, and R10.7.1. According to watchTowr Labs, CVE-2026-10520 can be triggered via a crafted HTTP request to the “/mics/api/v2/sentry/mics-config/handleMessage” endpoint. Fortinet, meanwhile, patched CVE-2026-25089, a CVSS 9.1 command injection bug in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that enables unauthorized OS commands through crafted HTTP requests. Internet‑facing instances and management interfaces should be patched or taken behind strong access controls without delay.
CISA KEV Additions: Cisco SD‑WAN, Chrome V8, and Arista EOS
Active exploitation KEV listings elevate several medium‑to‑high severity flaws into top‑tier priorities, regardless of raw CVSS scores. CISA added three bugs to its Known Exploited Vulnerabilities catalog: CVE-2026-20245 (CVSS 7.8), an improper encoding vulnerability in Cisco Catalyst SD‑WAN Manager that allows an authenticated local attacker to execute arbitrary commands as root using a crafted file; CVE-2026-11645 (CVSS 8.8), an out‑of‑bounds read/write in Google Chrome’s V8 engine that can lead to arbitrary code execution inside the browser sandbox via a malicious HTML page; and CVE-2026-7473 (CVSS 6.9), an Arista EOS issue where tunnel endpoints may process non‑configured tunnel traffic when decapsulation IPs are set. Arista has acknowledged exploitation and noted no software patch is planned, so operators must rely on configuration changes and architecture controls to contain exposure on affected EOS platforms.
SAP June Patch Day: Four Critical Issues Across ABAP, Java, and Commerce
SAP’s June Security Patch Day introduced four critical notes that affect identity, kernel, Java, and commerce layers, putting core business platforms squarely in scope for enterprise patch management. The highest‑scoring issue, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform, allowing manipulated signed XML to bypass trust boundaries and grant unauthorized access. Another kernel‑level memory corruption bug, CVE-2026-27671 (CVSS 9.8), affects the SAP Kernel used by Application Server ABAP and can be triggered via crafted RFC requests, with no workaround other than a kernel update. On the Java side, CVE-2026-40128 (CVSS 9.0) in the Web Container of SAP NetWeaver AS Java enables path traversal through malicious HTTP logon requests, impacting data confidentiality and availability. Commerce Cloud and SAP Data Hub are also affected by Spring Security issues, heightening internet‑facing risk.
How to Prioritize Patching: From CVSS Scores to Business Impact
With overlapping advisories and active exploitation, IT teams need a simple, defensible prioritization model. Start by grouping vulnerabilities by CVSS score, treating 9.0+ issues and any CVSS 10.0 vulnerability as emergency changes. Next, overlay exploitation status: anything in the KEV catalog, such as the Cisco SD‑WAN Manager, Chrome V8, and Arista EOS flaws, should move to the same top tier as critical scores, even when their CVSS is lower. Then, rank affected assets by criticality and exposure: internet‑facing Ivanti Sentry gateways, FortiSandbox web UIs, SAP SAML endpoints, and Java web containers accessible from outside the core network deserve earlier maintenance windows than internal, low‑privilege components. Where patches are unavailable, as with Arista EOS, enforce compensating controls: restrict tunnel endpoints, tighten browser updates, harden management access, and monitor for unusual authentication and tunnel traffic to catch exploitation attempts early.
