Rapid responses

Fortinet FortiSandbox is a security appliance that identifies unknown threats by executing suspicious files in isolated virtual environments to monitor their behavior and then automates a response by sharing that intelligence across the network to block the detected threat.

Certain versions of FortiSandbox are susceptible to multiple vulnerabilities:

• CVE-2026-39808: An OS command injection vulnerability exists within an API endpoint due to the improper neutralization of special elements. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted HTTP requests, potentially allowing for the execution of unauthorized code or commands.

• CVE-2026-39813: An API privilege escalation vulnerability exists due to a path traversal flaw. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted HTTP requests to the JRPC API. Successful exploitation may allow an attacker to bypass authentication and escalate privileges on the system.

The following versions are affected:

• FortiSandbox 4.4: Versions 4.4.0 through 4.4.8 (affected by both CVEs)
• FortiSandbox 5.0: Versions 5.0.0 through 5.0.5 (affected by CVE-2026-39813 only)

Fortinet FortiClient Endpoint Management Server (EMS) is a centralized application used to deploy, configure, and monitor security settings on devices running the FortiClient agent.

Certain versions of FortiClient EMS are susceptible to an API authentication and authorization bypass vulnerability caused by improper access control. A remote, unauthenticated attacker could exploit this flaw by sending specially crafted requests to the server. A successful exploit may allow the attacker to execute unauthorized code or commands.

Both Fortinet and CISA have now confirmed that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• FortiClientEMS 7.4: Versions 7.4.5 through 7.4.6

Cisco Smart Software Manager On-Prem (SSM On-Prem) is a local virtual appliance that enables organizations to manage and track Cisco software licenses within a private network, eliminating the need to connect individual devices directly to Cisco’s cloud-based licensing portal.

Certain versions of Cisco SSM On-Prem are affected by the following vulnerabilities:

• CVE-2026-20160: A vulnerability that could allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system of an affected host. This issue stems from the unintentional exposure of an internal service. An attacker could exploit this by sending a crafted request to the exposed service’s API. A successful exploit could grant the attacker root level privileges on the underlying operating system.

• CVE-2026-20151: A vulnerability in the web interface that could allow a remote, low-privileged attacker (System User role) to elevate their privileges. This flaw exists due to the improper transmission of sensitive user information. An attacker could exploit this by sending a crafted message to the host and retrieving session credentials from subsequent status messages. This would allow an attacker to elevate their role from System User to administrative. Note: This vulnerability only exposes information regarding users currently logged into the web interface; SSH sessions are not affected.

The following versions are affected by one or both vulnerabilities:

• CVE-2026-20151: Cisco SSM On-Prem versions 9-202510 and earlier.
• CVE-2026-20160: Cisco SSM On-Prem versions 9-202502 through 9-202510.

The Cisco Integrated Management Controller (IMC) is a dedicated baseboard management controller that provides out-of-band hardware configuration, monitoring, and remote control for Cisco UCS C-Series and S-Series servers via a web interface, CLI, or API, independent of the host operating system.

Certain versions of Cisco IMC are affected by the following vulnerabilities:

• CVE-2026-20093: A vulnerability in the password change functionality could allow a remote, unauthenticated attacker to bypass authentication. Due to incorrect handling of password requests, an attacker could send a crafted HTTP request to alter any user’s password, including an Admin account, to gain full system access.

• CVE-2026-20094: A vulnerability in the web-based management interface could allow a remote, low-privileged (read-only) attacker to perform command injection. By sending crafted commands to the interface, an attacker could exploit improper input validation to execute arbitrary commands as the root user.

• CVE-2026-20095 and CVE-2026-20096: Two vulnerabilities in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to perform command injection. Due to improper input validation, an attacker could execute arbitrary commands on the underlying operating system as the root user.

• CVE-2026-20097: A vulnerability in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to execute arbitrary code. By sending crafted HTTP requests to an affected device, an attacker could exploit improper input validation to execute arbitrary code on the underlying operating system as the root user.

The following Cisco products are affected if they are running a vulnerable release of Cisco IMC, regardless of device configuration:

5000 Series Enterprise Network Compute Systems (ENCS): (Affected by CVE-2026-20093, CVE-2026-20095, and CVE-2026-20096)

• Cisco NFV Infrastructure Software (NFVIS) versions 4.15 and earlier

Catalyst 8300 Series Edge uCPE: (Affected by CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

• Cisco NFVIS versions 4.16 and earlier
• Cisco NFVIS version 4.18

UCS C-Series M5 & M6 Rack Servers (Standalone Mode): (Affected by all CVEs: CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097)

• Cisco IMC versions 4.2 and earlier
• Cisco IMC version 4.3
• Cisco IMC version 6.0 (M6 only)

UCS E-Series M3 & M6: (Affected by CVE-2026-20093, CVE-2026-20094 (M6 only), CVE-2026-20095, and CVE-2026-20096)

• Cisco IMC versions 3.2 and earlier (M3)
• Cisco IMC versions 4.15 and earlier (M6)

UCS S-Series Storage Servers (Standalone Mode): (Affected by CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

• Cisco IMC versions 4.2 and earlier
• Cisco IMC version 4.3

Cisco Appliances: The following appliances are affected if the Cisco IMC user interface (UI) is exposed, as these platforms are built upon preconfigured versions of the UCS C-Series Servers listed above:

• Application Policy Infrastructure Controller (APIC) Servers
• Business Edition 6000 and 7000 Appliances
• Catalyst Center Appliances, formerly DNA Center
• Cisco Telemetry Broker Appliances
• Cloud Services Platform (CSP) 5000 Series
• Common Services Platform Collector (CSPC) Appliances
• Connected Mobile Experiences (CMX) Appliances
• Connected Safety and Security UCS Platform Series Servers
• Cyber Vision Center Appliances
• Expressway Series Appliances
• HyperFlex Edge Nodes
• HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect (DC-No-FI) deployment mode
• IEC6400 Edge Compute Appliances
• IOS XRv 9000 Appliances
• Meeting Server 1000 Appliances
• Nexus Dashboard Appliances
• Prime Infrastructure Appliances
• Prime Network Registrar Jumpstart Appliances
• Secure Endpoint Private Cloud Appliances
• Secure Firewall Management Center Appliances
• Secure Malware Analytics Appliances
• Secure Network Analytics Appliances
• Secure Network Server Appliances
• Secure Workload Servers

Progress ShareFile Storage Zones Controller is a software application that enables organizations to store their ShareFile data on-premises or in a private cloud infrastructure, rather than using the default ShareFile cloud storage.

Certain versions of customer-managed ShareFile Storage Zones Controller (SZC) 5.x are affected by the following vulnerabilities:

• CVE-2026-2699: Allows a remote, unauthenticated adversary to access restricted configuration pages. This could lead to unauthorized system configuration changes and potential Remote Code Execution (RCE) resulting from an Execution After Redirect (EAR) vulnerability.

• CVE-2026-2701: Allows a remote, high-privileged user to upload a malicious file to the server and execute it to achieve RCE.

The following versions are affected

• ShareFile Storage Zones Controller 5.x versions prior to 5.12.4

Microsoft SharePoint is a web-based collaboration and document management platform within the Microsoft 365 suite. It acts as a secure, centralized hub for storing, organizing, sharing, and accessing information from any device.

On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker to execute code over a network.

While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.

This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.

The following versions are affected:

• SharePoint Enterprise Server 2016 before version 16.0.5535.1001
• SharePoint Server 2019 before version 16.0.10417.20083
• SharePoint Server Subscription Edition before version 16.0.19127.20442