September 17, 2024
Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities
Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows - CVE-2024-29847 (CVSS score: 10.0) - A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.

Sep 11, 2024Ravie LakshmananEnterprise Security / Vulnerability

Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.

A brief description of the issues is as follows –

  • CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
  • CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve remote code execution

The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively.

Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it’s essential that users update to the latest version to safeguard against potential threats.

Also addressed as part of the September update are seven high-severity shortcomings in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).

The company said it has ramped up its internal scanning, manual exploitation and testing capabilities, and that it made improvements to its responsible disclosure process to swiftly discover and address potential issues.

“This has caused a spike in discovery and disclosure,” the company noted.

The development comes in the aftermath of extensive in-the-wild exploitation of several zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.

It also comes as Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two of its network-attached storage (NAS) devices.

“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request,” the company said in an alert.

The security hole has been addressed in the below versions –

  • NAS326 (affects V5.21(AAZF.18)C0 and earlier) – Fixed in V5.21(AAZF.18)Hotfix-01
  • NAS542 (affects V5.21(ABAG.15)C0 and earlier) – Fixed in V5.21(ABAG.15)Hotfix-01

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense

Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense

U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation

U.S. Treasury Sanctions Executives Linked to Intellexa Predator Spyware Operation

How to Investigate ChatGPT activity in Google Workspace How to Investigate ChatGPT activity in Google Workspace

How to Investigate ChatGPT activity in Google Workspace

Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users

Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users

You may have missed

The Apple Watch Series 10 offers mostly minor upgrades, but faster charging is a big plus The Apple Watch Series 10 offers mostly minor upgrades, but faster charging is a big plus

The Apple Watch Series 10 offers mostly minor upgrades, but faster charging is a big plus

Amazon is using generative AI to drive more same-day shipping using smarter robots and better routes Amazon is using generative AI to drive more same-day shipping using smarter robots and better routes

Amazon is using generative AI to drive more same-day shipping using smarter robots and better routes

Samsung Reportedly Testing One UI 7 Ahead of Anticipated Beta Release Samsung Reportedly Testing One UI 7 Ahead of Anticipated Beta Release

Samsung Reportedly Testing One UI 7 Ahead of Anticipated Beta Release

Tech M&A has been thwarted by regulators, but dealmakers skeptical that election will change much Tech M&A has been thwarted by regulators, but dealmakers skeptical that election will change much

Tech M&A has been thwarted by regulators, but dealmakers skeptical that election will change much

Samsung Galaxy F05 With 50-Megapixel Camera Launched in India Samsung Galaxy F05 With 50-Megapixel Camera Launched in India

Samsung Galaxy F05 With 50-Megapixel Camera Launched in India

Major American bank CEO warns of US economic fate worse than recession

Major American bank CEO warns of US economic fate worse than recession