This security advisory covers multiple critical vulnerabilities disclosed in December 2025 affecting Fortinet, Ivanti, and SAP products. Fortinet vulnerabilities (CVE-2025-59718 and CVE-2025-59719, CVSS 9.8) stem from improper verification of cryptographic signatures in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO authentication via crafted SAML messages if the feature is enabled, which is not the default setting but can be enabled during device registration. Temporary mitigation involves disabling the FortiCloud SSO login feature. Ivanti Endpoint Manager prior to version 2024 SU4 SR1 contains a stored cross-site scripting (XSS) vulnerability (CVE-2025-10573, CVSS 9.6) that enables remote unauthenticated attackers to inject malicious JavaScript into the administrator dashboard by poisoning fake managed endpoints. This requires administrator interaction to trigger code execution and session takeover. Additionally, three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, CVE-2025-13662) allow remote code execution, with CVE-2025-13662 also involving improper cryptographic signature verification in the patch management component. SAP released patches for 14 vulnerabilities, including three critical ones: CVE-2025-42880 (code injection in SAP Solution Manager, CVSS 9.9), CVE-2025-55754 (multiple Apache Tomcat vulnerabilities in SAP Commerce Cloud, CVSS 9.6), and CVE-2025-42928 (deserialization vulnerability in SAP jConnect SDK, CVSS 9.1). Exploitation of SAP Solution Manager vulnerability requires authentication but can lead to arbitrary code execution, posing a significant risk given its central role in SAP landscapes. The jConnect SDK flaw requires elevated privileges. No active exploitation has been reported yet, but the critical nature of these vulnerabilities and their potential impact on confidentiality, integrity, and availability necessitate immediate patching and mitigation. The advisory emphasizes the importance of rapid response to prevent exploitation in enterprise environments.

The vulnerabilities affect widely deployed enterprise security and management products critical to network infrastructure and business operations. For European organizations, exploitation could lead to unauthorized administrative access, full system compromise, and disruption of essential services. Fortinet devices are commonly used in European enterprises and government networks for firewalling, proxying, and network management, so bypassing FortiCloud SSO could allow attackers to gain privileged access remotely. Ivanti Endpoint Manager is used for endpoint security and patch management; exploitation could enable attackers to hijack administrator sessions, inject malicious code, and execute arbitrary commands, undermining endpoint security and potentially spreading malware. SAP systems are integral to many European enterprises' ERP and commerce operations; code injection and deserialization flaws could allow attackers to execute arbitrary code, manipulate business data, or disrupt critical business processes. The combined effect threatens confidentiality, integrity, and availability of sensitive data and systems, potentially causing financial loss, regulatory non-compliance, and reputational damage. Given the criticality and ease of exploitation, these vulnerabilities could be leveraged in targeted attacks against high-value European organizations, including government, finance, manufacturing, and critical infrastructure sectors.

European organizations should immediately assess their exposure to affected Fortinet, Ivanti, and SAP products and prioritize patching with the latest vendor updates. For Fortinet devices, if FortiCloud SSO login is enabled, disable it temporarily via the GUI or CLI until patches are applied. Conduct thorough audits to verify whether this feature is enabled, as it is off by default. For Ivanti Endpoint Manager, upgrade to version 2024 SU4 SR1 or later to remediate stored XSS and code execution flaws. Implement strict network segmentation and access controls to limit exposure of management consoles to untrusted networks. For SAP systems, apply December 2025 security patches promptly, especially for SAP Solution Manager, Commerce Cloud, and jConnect SDK components. Employ SAP-specific security hardening guides and monitor logs for suspicious activity related to these components. Additionally, implement multi-factor authentication for administrative access, restrict administrative privileges, and conduct regular security assessments. Organizations should also monitor threat intelligence feeds for emerging exploit activity and consider deploying web application firewalls and endpoint detection solutions tuned to detect exploitation attempts. Finally, conduct user awareness training to reduce risk from social engineering that could facilitate exploitation requiring user interaction.