Fortinet, Ivanti, and ServiceNow patch 15 flaws, including a critical no-login attack on ServiceNow's AI platform

A flaw rated 9.5 out of 10 in severity lets criminals run malicious code on ServiceNow systems without needing a password. Twelve Fortinet products and two Ivanti tools also received fixes on the same day.

ThreatVectr Newsdesk· 3 min read
Full-frame 16:9 photoreal editorial image of a dimly lit server rack in a data center, focused on a single rack unit with a glowing amber status LED, shallow de
Share

Key points

  • ServiceNow patched CVE-2026-6875, a critical flaw scored 9.5 out of 10 that lets attackers run malicious code on its AI platform without logging in.
  • Ivanti fixed two flaws in its Xtraction data tool: CVE-2026-14902, which can silently send users to malicious websites, and CVE-2026-14903, which can let attackers read files they should never reach.
  • Fortinet released 11 advisories on Tuesday covering 12 vulnerabilities spread across ten of its products.
  • None of the three vendors say they have seen any of these flaws actively exploited yet.

Three major software companies released security fixes on Tuesday for a combined 15 vulnerabilities, meaning 15 discovered weaknesses in their products that attackers could use to cause harm.

The most urgent fix came from ServiceNow, a company that makes software businesses use to manage IT support tickets, employee requests, and now artificial-intelligence tools. ServiceNow patched CVE-2026-6875, a remote code execution flaw, meaning a flaw that lets someone run their own malicious instructions on another company's computer system from anywhere over the internet, without needing a username or password to get started. The flaw carries a severity score of 9.5 out of a possible 10.

ServiceNow says it has already pushed the fix automatically to its cloud-hosted customers. Organisations that run ServiceNow on their own servers need to apply the provided update themselves.

What does this mean for ordinary people?

If your employer uses ServiceNow for IT help-desk requests or HR forms, and the company runs its own copy of the software without auto-updates, the system may still be exposed until a tech team applies the patch. You don't need to do anything yourself, but it's worth knowing your IT department should be on this quickly.

Ivanti, which makes tools for managing and visualising company data, patched two flaws in a product called Xtraction. CVE-2026-14902 is an open redirect flaw, which means the software can be tricked into silently sending a user's browser to a malicious external website, a handy tool for phishing, where criminals send fake pages to steal login details. CVE-2026-14903 is a path traversal flaw, meaning an attacker could read files stored on the server that the software was never meant to share. Ivanti says neither flaw has been exploited in the wild.

Fortinet, which sells network security hardware and software to businesses, published 11 advisories covering 12 separate vulnerabilities across ten products, including FortiOS, FortiAuthenticator, and FortiSandbox. The two most serious bugs sit inside FortiAuthenticator and FortiSandbox: unauthenticated remote attackers, meaning criminals with no account on the system, could potentially retrieve sensitive information or gain access to virtual machine scanning environments. Fortinet found no evidence of active exploitation.

Organisations running any of the affected products should check vendor patch notes and apply updates promptly. Unpatched systems, even ones not yet targeted, represent open doors that criminals actively scan for.

© 2026 Threat Vectr