Fortinet & Ivanti ship October fixes for multiple high-severity flaws (FortiPAM/FortiSwitchManager auth bypass, FortiIsolator cookie issues, Ivanti EPMM & Neurons for MDM)

Introduction: the problem at a glance

Fortinet and Ivanti released coordinated October security updates addressing dozens of vulnerabilities across popular network-security and endpoint-management products. Highlights include a weak-authentication flaw in FortiPAM and FortiSwitchManager (CVE-2025-49201), cookie-handling issues in FortiIsolator (CVE-2024-33507), FortiClient Mac and FortiOS privilege escalations, and high-severity bugs in Ivanti Endpoint Manager Mobile (EPMM) and Neurons for MDM. Both vendors report no evidence of in-the-wild exploitation for these specific issues as of publication, but given these ecosystems’ frequent targeting, rapid patching is strongly advised.

In brief

  • Fortinet: 29 new advisories covering >30 vulnerabilities across FortiOS, FortiPAM, FortiProxy, FortiClient (Windows/Mac), FortiManager/Analyzer, FortiWeb, FortiSOAR/SIEM and more. High-severity entries include CVE-2025-49201 (FortiPAM/FortiSwitchManager), CVE-2024-33507 (FortiIsolator), a FortiClient Mac LaunchDaemon privilege escalation (CVE-2025-57741), and a FortiOS privilege-escalation bug.
  • Ivanti: October advisories for EPMM and Neurons for MDM (two high-severity issues in Neurons for MDM including an MFA bypass and the ability for an admin to unenroll arbitrary devices, plus multiple high-severity EPMM issues). Ivanti also posted EPM guidance/mitigations.
  • Exploitation status: No signs of active exploitation reported by either vendor at release time.

Context / history / connections

Both Fortinet and Ivanti products are frequent targets for post-patch scanning and exploitation attempts. Past Fortinet advisories (e.g., FortiSIEM CVE-2025-25256) drew rapid attacker interest, and CISA and national CERTs regularly flag Ivanti advisories due to their prevalence in enterprise/mobile fleets. Canada’s Cyber Centre issued an alert summarizing Ivanti’s October releases (AV25-661), underscoring the need for speedy updates.

Technical analysis / details of the vulnerabilities

Fortinet (selected high-severity items)

  1. CVE-2025-49201 – Weak authentication in FortiPAM & FortiSwitchManager (CWE-1390)
    • Impact: Remote attackers can bypass authentication and ultimately execute unauthorized code/commands via crafted HTTP requests.
    • Affected: FortiPAM 1.0.0–1.0.3, 1.1.0–1.1.2, 1.2.0, 1.3.0–1.3.1, 1.4.0–1.4.2, 1.5.0; FortiSwitchManager 7.2.0–7.2.4.
    • CVSS (NVD): AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (network exploitable, high impact).
    • Notes: Fortinet PSIRT and NVD entries align on weak authentication as the root cause. Patch to the fixed builds as per PSIRT.
  2. CVE-2024-33507 – FortiIsolator cookie handling
    • Impact: Unauthenticated deauthentication of logged-in admins via crafted cookies; and privilege escalation from read-only to write for authenticated users.
    • Affected: FortiIsolator ≤2.3.4 and 2.4.4 (per PSIRT/CVE record).
    • Risk: DoS against administrative sessions; potential unauthorized changes by low-privilege users.
    • Action: Update to vendor-specified fixed versions.
  3. Other Fortinet high-severity items
    • FortiClientMac LaunchDaemon privilege escalation (CVE-2025-57741) and a FortiOS privilege-escalation (CVE-2025-58325): both require authentication but could enable command execution with elevated privileges. Apply updates via Fortinet’s October advisory set.

Fortinet’s October drop also includes medium/low issues across FortiOS, FortiProxy, FortiManager/Analyzer, FortiWeb, FortiSOAR/SIEM, FortiSASE and more. Even non-critical fixes can be useful to reduce attack surface (e.g., XSS, DoS, info-disclosure).

Ivanti (October 2025)

  1. EPMM (Ivanti Endpoint Manager Mobile)
    • Issues: Multiple high-severity vulnerabilities allowing code execution by an authenticated admin; one medium-severity issue enabling unauthorized disk write.
    • Scope: On-prem EPMM deployments with specific version lines require updating to 12.6.0.2 / 12.5.0.4 / 12.4.0.4 (per Ivanti guidance).
    • Exploit status: None observed by Ivanti at disclosure.
  2. Neurons for MDM
    • Issues: Two high-severity flaws—(a) an MFA bypass for a remote authenticated attacker; (b) an admin-level action enabling unenrollment of arbitrary devices from UEM UI—plus one medium-severity API exposure to sensitive user data (unauthenticated).
    • Action: Upgrade from R118 and prior to the latest fixed release per Ivanti’s advisory.
  3. Endpoint Manager (EPM) advisory & lifecycle note
    • Ivanti published EPM guidance and highlighted that EPM 2022 reached end-of-life in October 2025; customers should plan upgrades to supported trains.

National guidance mirrors these: Canada’s Cyber Centre enumerates affected Ivanti product/version families (EPM, EPMM, Neurons for MDM) and urges prompt updates.

Practical consequences / risks

  • Credential-less initial footholds on management planes: Weak authentication & MFA bypass on widely deployed admin surfaces (FortiPAM/FortiSwitchManager; Ivanti Neurons for MDM) can enable tenant-wide policy tampering, device unenrollment, or lateral movement.
  • Admin session disruption & privilege creep: FortiIsolator cookie defects enable admin deauthentication (availability impact) and privilege escalation, undermining change-control on secure browsing gateways.
  • Rapid weaponization risk after disclosure: Fortinet/Ivanti fixes historically draw quick scanning; even without current exploitation evidence, lagging patch cycles elevate risk.

Operational recommendations / what to do next

  1. Patch sequencing (prioritize exposed control planes):
    • Fortinet: Prioritize FortiPAM & FortiSwitchManager (CVE-2025-49201) and FortiIsolator (CVE-2024-33507), then FortiOS/FortiClient Mac where used. Validate versions against Fortinet PSIRT and upgrade to vendor-fixed releases.
    • Ivanti: Upgrade EPMM and Neurons for MDM to the latest patched builds referenced in the October bulletins; review EPM lifecycle/EOL status and plan migrations.
  2. Compensating controls (while patching):
    • Restrict management interfaces to trusted admin networks/VPN, enforce IP allow-lists, and require S/MFA via an out-of-band IdP for all admin access.
    • Increase WAF/IDS inspection for management paths; add signatures/rate-limits for brute-force/auth-bypass attempts.
    • Monitor for device unenrollment events in Ivanti and for unexpected admin deauth or role changes on FortiIsolator.
  3. Detection & response:
    • Hunt for anomalous admin activity (logins from new ASNs, rapid policy changes, mass unenrollment).
    • Review reverse proxy and appliance logs for suspicious crafted cookie patterns and unusual HTTP verbs/headers around auth endpoints (FortiIsolator, FortiPAM/FortiSwitchManager).
    • If exposed to the internet, assume reconnaisance began at disclosure; consider retroactive log review from Oct 13–16, 2025 (the advisory window).
  4. Asset & version governance:
    • Create CMDB tags for security appliances & UEM with required patch SLAs (e.g., 72 hours for auth-bypass on management planes).
    • If you run EPM 2022 (EOL in Oct 2025), accelerate upgrade to supported versions.

Differences / comparisons with other cases

Compared with earlier critical Fortinet cases (e.g., FortiSIEM CVE-2025-25256), the October set skews toward high severity but still includes auth-bypass and admin-plane weaknesses that often become initial footholds. For Ivanti, the pattern of UEM-centric flaws continues, but the MFA bypass and device-unenrollment angles are particularly impactful for mobile fleets.

Summary / key takeaways

  • Fortinet shipped a wide slate of fixes; CVE-2025-49201 (FortiPAM/FortiSwitchManager) and CVE-2024-33507 (FortiIsolator) deserve top priority due to auth and admin-impact vectors.
  • Ivanti’s EPMM and Neurons for MDM updates address high-severity issues including MFA bypass and arbitrary device unenrollment—high risk for mobile/remote work environments.
  • No exploitation seen yet, but time-to-exploit for these vendors is historically short; patch swiftly, restrict admin surfaces, and monitor closely.

Sources / bibliography

  • SecurityWeek — roundup of Fortinet & Ivanti October 2025 patches and notable CVEs. (SecurityWeek)
  • Fortinet PSIRTCVE-2025-49201 (FortiPAM/FortiSwitchManager weak authentication). (FortiGuard)
  • NVDCVE-2025-49201 record with CVSS and affected versions. (NVD)
  • Fortinet PSIRTFG-IR-24-062 (FortiIsolator cookie/auth issues; CVE-2024-33507). (FortiGuard)
  • CVE.orgCVE-2024-33507 details (deauthentication & privilege escalation). (CVE)
  • Ivanti (official blog)October 2025 Security Update overview (EPMM & Neurons for MDM). (Ivanti)
  • Ivanti forums advisoriesNeurons for MDM October advisory and EPM October advisory/EOL note. (Ivanti Community)
  • Canadian Centre for Cyber Security — national alert summarizing Ivanti October advisories. (Canadian Centre for Cyber Security)

Related Posts