Vulnerability Notice: Google, Gogs, Microsoft, Fortinet and Ivanti

Overview

Google has released a vulnerability that allows out-of-bounds memory access in ANGLE within Google Chrome on macOS, which a remote attacker can trigger via a crafted HTML page. In simpler terms: This flaw means attackers can trick Chrome into reading or writing data outside its intended memory space, which could lead to crashes or even code execution. 

• CVE-2025-14174: Google Chrome (macOS) ANGLE out-of-bounds memory access (CVSSv3 8.8). Affected versions: <= 143.0.7499.110. 

Gogs has released a vulnerability that stems from improper symbolic link handling in the PutContents API, enabling local code execution by abusing path traversal/symlink behaviour. In other words, attackers can exploit this flaw to trick the system into writing files in unexpected locations, which could allow them to run malicious code. What is PutContents API? It’s a function in Gogs that handles writing content to files in repositories. Developers use it to update or create files in a Git repository through the Gogs interface. 

• CVE-2025-8110:  Gogs PutContents API local code execution (CVSSv3 8.7). Affected versions: <= 0.13.3.  

Microsoft has released a vulnerability that involves command injection in GitHub Copilot for JetBrains, allowing an unauthorized attacker to execute code locally due to insufficient neutralisation of special characters used in command construction. This means attackers can insert harmful commands into Copilot’s processes, making the system run code it shouldn’t. 

• CVE-2025-64671: GitHub Copilot for JetBrains command injection (CVSSv3 8.4). Affected versions: <= 1.5.60-243. 

Fortinet has released vulnerabilities that stem from improper verification of cryptographic signatures, which may allow an unauthenticated attacker to bypass FortiCloud SSO administrative login by submitting a crafted SAML response message. In simpler terms: Attackers can fake login messages and gain admin access without valid credentials. 

• CVE-2025-59718: Fortinet SSO authentication bypass (CVSSv3 9.1). Affected versions: 

• FortiOS: 7.6.0–7.6.3; 7.4.0–7.4.8; 7.2.0–7.2.11; 7.0.0–7.0.17  

• FortiProxy: 7.6.0–7.6.3; 7.4.0–7.4.10; 7.2.0–7.2.14; 7.0.0–7.0.21  

• FortiSwitchManager: 7.2.0–7.2.6; 7.0.0–7.0.5  

• CVE-2025-59719: Fortinet SSO authentication bypass (CVSSv3 9.1). Affected versions: FortiWeb 8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9.  

Ivanti has released a vulnerability that is a stored cross-site scripting (XSS) flaw in Ivanti Endpoint Manager (EPM), enabling a remote unauthenticated attacker to execute arbitrary JavaScript in an administrator’s session context. In simpler terms: Attackers can inject malicious scripts into the system that run when an admin views certain pages, potentially stealing data or taking control of the session. 

• CVE-2025-10573: Ivanti Endpoint Manager stored XSS (CVSSv3 9.6). Affected versions: <= 2024 SU4 SR1. 

Recommended Action: 

Organisations are encouraged to review the appropriate security advisory pages and apply the updates:  

• Google Chrome - Chrome Releases 

• Gogs - Gogs Zero-Day RCE  

• Microsoft - Security Update Guide 

• Fortinet - PSIRT | FortiGuard Labs 

• Ivanti - Security Advisory EPM 

If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.