Full Report
Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code. Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks. "External control of a file name
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Ivanti, Fortinet, SAP, VMware, and n8n
## CVE Details
- **CVE ID:** CVE-2026-8043 (Ivanti), CVE-2026-44277, CVE-2026-26083 (Fortinet), CVE-2026-34260, CVE-2026-34263 (SAP), CVE-2026-41702 (VMware), CVE-2026-42231 (n8n)
- **CVSS Score:** 7.8 to 9.6 (High to Critical)
- **CWE:** Improper Access Control, SQL Injection, TOCTOU, Prototype Pollution, Missing Authentication.
## Affected Systems
- **Ivanti:** Xtraction (versions before 2026.2).
- **Fortinet:** FortiAuthenticator (6.5, 6.6, 8.0); FortiSandbox (4.4, 5.0); FortiSandbox Cloud/PaaS.
- **SAP:** S/4HANA; Commerce Cloud (configuration level).
- **VMware:** Fusion (specifically SETUID binaries).
- **n8n:** Workflow automation platform (versions before 1.123.32, 2.17.4, 2.18.1).
## Vulnerability Description
This collection of vulnerabilities covers several high-impact attack vectors:
- **Ivanti Xtraction:** External control of file names allows remote authenticated attackers to read sensitive files or write arbitrary HTML/files to web directories.
- **Fortinet:** Improper access control and missing authorization in web interfaces allow unauthenticated remote code execution (RCE).
- **SAP:** SQL injection in S/4HANA allows unauthorized database reads; missing authentication in Commerce Cloud allows malicious configuration uploads leading to RCE.
- **VMware:** A Time-of-Check Time-of-Use (TOCTOU) flaw in SETUID binaries allows local privilege escalation.
- **n8n:** Prototype pollution via the `xml2js` library in the webhook handler allows authenticated users to achieve RCE.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild (per this report), but critical severity suggests high exploitability.
- **Complexity:** Low to Medium (depending on whether authentication is required).
- **Attack Vector:** Network (Ivanti, Fortinet, SAP, n8n); Local (VMware Fusion).
## Impact
- **Confidentiality:** High (Information disclosure, database exposure).
- **Integrity:** High (Arbitrary file writes, code injection).
- **Availability:** High (System crashes, full host takeover).
## Remediation
### Patches
- **Ivanti Xtraction:** Update to version 2026.2 or later.
- **FortiAuthenticator:** Update to 6.5.7, 6.6.9, or 8.0.3.
- **FortiSandbox:** Update to 4.4.9 or 5.0.2 (PaaS/Cloud versions vary: 5.0.6 or 4.4.9/5.0.2).
- **SAP:** Apply May 2026 Security Notes for S/4HANA and Commerce Cloud.
- **VMware Fusion:** Update to version 26H1.
- **n8n:** Update to 1.123.32, 2.17.4, or 2.18.1.
### Workarounds
- Enforce strict IP whitelisting for management interfaces (Fortinet/Ivanti).
- Restrict user permissions to "Least Privilege" to mitigate local escalation (VMware) and workflow-based RCE (n8n).
## Detection
- Monitor for unusual file write activity in Ivanti web directories.
- Inspect HTTP logs for crafted requests targeting FortiAuthenticator/FortiSandbox UI.
- Audit SAP logs for unauthorized configuration uploads or SQL syntax errors.
## References
- Ivanti Advisory: hxxps[://]hub[.]ivanti[.]com/s/article/Security-Advisory---Ivanti-Xtraction-CVE-2026-8043
- Fortinet PSIRT: hxxps[://]www[.]fortiguard[.]com/psirt/FG-IR-26-128
- SAP Security Notes: hxxps[://]support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/may-2026[.]html
- Broadcom Support: hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454