Ivanti and Fortinet have released security updates to resolve over a dozen vulnerabilities across their platforms, including several rated high severity.
Ivanti Vulnerabilities
Ivanti published an update for Workspace Control (IWC) to address three high-severity vulnerabilities—CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455. These flaws stem from hardcoded encryption keys present in IWC versions 10.19.0.0 and earlier, which could allow authenticated attackers to decrypt stored SQL credentials and environment passwords.
Ivanti stated the issues were discovered through its responsible disclosure program and confirmed no active exploitation at the time of disclosure.
Fortinet Vulnerabilities
Fortinet released 14 security fixes this week, including one high-severity vulnerability and 13 rated medium severity. The critical issue, CVE-2025-31104, is an OS command injection flaw in FortiADC, allowing authenticated users to execute arbitrary code via specially crafted HTTP requests.
Other affected products include:
-
FortiOS
-
FortiClientEMS / FortiClient for Windows
-
FortiPAM
-
FortiSRA
-
FortiSASE
-
FortiPortal
-
FortiProxy
-
FortiWeb
The medium-severity vulnerabilities could lead to various impacts, including:
-
Server-side request forgery (SSRF)
-
Unauthorized session injection
-
VPN redirection
-
Unauthorized access to SSL-VPN settings and device data
-
Privilege escalation
-
SSH key manipulation
-
Identity spoofing
-
Bypassing certificate revocation checks
Fortinet has not observed active exploitation of these vulnerabilities in the wild.
For full details, refer to the official Ivanti and Fortinet PSIRT advisory pages.
