Fortinet, Ivanti, and ServiceNow Publish Coordinated Patch Cycle (Critical ServiceNow AI-Platform RCE)
Three vendors, one patch cycle, one critical AI-platform RCE — defender verification across the Fortinet, Ivanti, and ServiceNow product lines this week.
Three enterprise vendors shipped patches in one window, led by a CVSS 9.5 unauthenticated flaw in the ServiceNow AI platform — a cross-product verification week for defenders.
SANTA CLARA, CALIF. — Fortinet, Ivanti, and ServiceNow on July 14, 2026 rolled out a coordinated set of security patches covering 15 vulnerabilities across their product lines, headlined by a critical remote code execution (RCE) flaw in the ServiceNow AI platform that can be exploited without authentication. The release lands as a cross-vendor cycle rather than a single advisory, and for enterprises that run any of the three product families the week's assignment is familiar: identify affected systems, confirm the patched builds against each vendor's notes, and work the list in severity order.
The headline item is the ServiceNow flaw. As SecurityWeek reported, ServiceNow resolved a critical, unauthenticated RCE defect in the ServiceNow AI platform, tracked as CVE-2026-6875 with a CVSS score of 9.5, while Ivanti fixed two flaws in its Xtraction reporting tool and Fortinet published 11 advisories covering a dozen vulnerabilities. This is a defender-framed advisory summary: what each vendor shipped and what customers should verify, not how any flaw might be abused.
What the Three Vendors Published
The cycle's top-rated item is ServiceNow's. According to SecurityWeek, ServiceNow resolved a critical RCE flaw in the ServiceNow AI platform, CVE-2026-6875, carrying a CVSS score of 9.5 and exploitable without authentication. ServiceNow said it addressed the vulnerability by deploying a security update to hosted instances, with relevant updates also provided to self-hosted customers and partners. That delivery model matters for defenders: hosted customers are covered by the vendor's own rollout, while self-hosted and partner deployments carry the verification burden.
Ivanti released fixes for two security defects in Xtraction, its data-aggregation and visualization tool, tracked as CVE-2026-14902 and CVE-2026-14903 — a medium-severity open redirect and a high-severity path traversal. Neither is the marquee flaw of the cycle, but both belong on an Ivanti customer's list once the top item is triaged.
Fortinet published 11 security advisories detailing 12 vulnerabilities spanning FortiOS, FortiProxy, FortiSASE, FortiSIEM, FortiClient EMS, FortiAuthenticator, FortiPAM, FortiSwitch Manager, FortiSwitch-Manager Agentless SSL-VPN, and FortiSandbox. The most severe are high-severity bugs in FortiAuthenticator and FortiSandbox, with the remainder rated medium and low. The breadth of Fortinet's release — a dozen flaws across ten product lines — is the story as much as any single advisory, since it asks defenders to touch several distinct parts of the estate in one window.
The ServiceNow AI-Platform RCE in Context
A CVSS 9.5 rating on an unauthenticated RCE sits near the top of the severity scale, and the pairing of high impact with no authentication requirement is what moves CVE-2026-6875 to the front of the queue. What that means concretely depends on details ServiceNow's advisory carries and secondary reporting does not — which is why the responsible framing here is what was fixed and what to verify, not any attack path. The score's job is to set priority, not to describe technique.
The ServiceNow AI platform's role is what makes the note consequential: it underpins AI-assisted workflows layered on top of a system that many enterprises use to run IT service management, HR, and security operations. A flaw there sits close to a platform of record. It also lands during a broader run of AI-platform scrutiny across the industry, and it reinforces a pattern The CyberSignal has tracked as vulnerability exploitation has become a leading initial-access vector — a shift underscored by the 2026 Verizon DBIR. ServiceNow says it is not aware of exploitation in the wild, which makes the driver proactive risk reduction rather than active-incident response — but that is no reason to defer a 9.5-rated, unauthenticated patch.
Continuation Context: A Crowded July Patch Window
This coordinated cycle did not arrive in a quiet week. It follows the record-setting Microsoft July 2026 Patch Tuesday, where 622 CVEs and two exploited zero-days already stretched patch teams, and it sits alongside the VMware Avi Load Balancer fixes from the same window. For defenders, the takeaway is not any one vendor but the density: three enterprise vendors publishing critical patches on the same day, into an inbox already carrying Microsoft's and VMware's, is a portfolio-prioritization problem before it is a per-product one.
The Ivanti and Fortinet entries are also part of longer threads in this coverage. Ivanti product lines have been a recurring subject, including the actively exploited Ivanti Sentry flaws earlier in the cycle, while Fortinet's estate has drawn attention through items such as the FortiClient EMS credential-stealer campaign. None of that history changes this week's task, but it argues for treating these vendors' advisories as standing items in the patch calendar rather than one-off events.
Defender Posture for the Three Product Lines
For organizations running any of the three product families, the value of a coordinated patch cycle is operational. The first task is inventory: knowing which ServiceNow AI platform instances, Ivanti Xtraction deployments, and Fortinet products an organization runs, and at what release levels. That is the same discipline behind patch management generally — an accurate inventory is the difference between a targeted fix and a guess.
The second task is prioritization by severity and exposure. The unauthenticated ServiceNow RCE is the natural top of the list, but the split delivery model shapes the work: hosted ServiceNow instances are covered by the vendor's rollout, so the defender action there is confirmation, while self-hosted and partner deployments require applying the provided update and verifying it. Fortinet's high-severity FortiAuthenticator and FortiSandbox bugs come next, with internet-facing systems warranting faster action than isolated internal ones. Ivanti's Xtraction fixes round out the queue.
The third task is verification, which should close the loop rather than assume it: applying a note and confirming the fix are different states, and in complex enterprise landscapes the gap is where risk persists — patched in one environment but not another, updated on some nodes but not others. Defenders who record the target build for each affected system, then confirm each reached it, convert a patch day into an outcome. That risk-based sequencing is exactly the model behind CISA's BOD 26-04, and it is what keeps a crowded week from dropping a critical item between product owners.
Open Questions
A few specifics remain unconfirmed in the reporting reviewed, and each belongs in the open column rather than in a plan built on assumption. There is no confirmation of in-the-wild exploitation of any of the patched vulnerabilities — ServiceNow and Ivanti say they are not aware of exploitation, and Fortinet makes no mention of it — and a CISA Known Exploited Vulnerabilities listing is not confirmed at the time of writing. The precise affected and patched build levels across the Fortinet product range are best read from each of the 11 Fortinet advisories in full rather than a summary.
The reporting rests on the vendors' own advisories and independent coverage from SecurityWeek. That posture is standard for a freshly published patch cycle and no reason to doubt the core facts — a coordinated, multi-vendor release led by a CVSS 9.5 unauthenticated ServiceNow AI-platform RCE — but the operational specifics should be taken from ServiceNow's, Ivanti's, and Fortinet's official advisories, which customers should treat as authoritative for scope, versions, and remediation steps.
The CyberSignal Analysis
The reported facts above are the vendors', as relayed by the cited outlet; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.
Signal 01 — Unauthenticated and Critical Is the Combination That Sets the Schedule
The most useful way to read CVE-2026-6875 is as a scheduling instruction. Our assessment is that the pairing that should drive urgency is not the AI-platform branding but the two properties that define the flaw: critical severity and no authentication requirement. A CVSS 9.5 that an unauthenticated actor can reach is the kind of item that belongs at the top of the queue before exploitation is ever observed, because the score already encodes the impact and the access barrier is effectively zero. Let those two facts set priority; treat exploitation status as a separate, faster-moving clock.
Signal 02 — Coordinated Cycles Are Won on Inventory and Portfolio Triage
This cycle's defining feature is breadth — three vendors, ten-plus product lines, in one window, on top of Microsoft's and VMware's releases from the same week. Our reading is that the organizations that handle a multi-vendor patch day cleanly are the ones with the most accurate inventory and a single prioritized queue, not the fastest individual patching. When advisories arrive from several vendors at once, the failure mode is not slow patching of any one product; it is a critical item falling between product owners because no one held the portfolio view.
Signal 03 — Delivery Model Changes the Defender's Job, Not the Priority
ServiceNow's split rollout — automatic for hosted instances, manual for self-hosted customers and partners — is a reminder that the same CVE can imply different work depending on how a product is consumed. Our assessment is that defenders should map each affected product to its delivery model early: for vendor-hosted services the task is confirmation that the fix landed, while for self-hosted and partner deployments it is application plus verification. The forward-looking implication is to pre-classify the estate by hosting model before the next cycle, so a severity score converts to the right action immediately rather than after the advisory is parsed.