May 21, Ivanti released updates to address numerous critical vulnerabilities in products such as Endpoint Manager, Avalanche, Neurons for Itsm, Connect Secure, and Secure Access. A total of 16 vulnerabilities were patched, which are briefly outlined below.
Ten of the identified vulnerabilities in Endpoint Manager are related to SQL injections (CVE-2024-29822, CVE-2024-29823, CVE-2024-29824, CVE-2024-29825, CVE-2024-29826, CVE-2024-29827) with a CVSS score of 9.6. These vulnerabilities allow an unauthenticated attacker on the same network to execute arbitrary code.
The remaining four vulnerabilities in Endpoint Manager (CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, CVE-2024-29846) require attacker authentication but also enable the execution of arbitrary code. These vulnerabilities have a CVSS score of 8.4 and impact the Core server Ivanti EPM 2022 SU5 and earlier versions.
In client IVANTI AVALANCE version 6.4.3.602, the company addressed the critical vulnerability CVE-2024-29848 (CVSS 7.2), which allows remote code execution by hackers through the loading of a specially crafted file.
Additionally, patches were released for five other high-severity vulnerabilities: SQL injection (CVE-2024-22059, CVSS 8.8) and unlimited file download error (CVE-2024-22060, CVSS 8.7) in Ivanti Neurons for Its, Crlf injection in Ivanti Connect Secure (CVE-2023-38551, CVSS 8.2), and two local privilege escalation vulnerabilities in Ivanti Secure Access: CVE-2023-38042, CVSS 7.8 (affects Windows) and CVE-2023-46810, CVSS 7.3 (affects Linux).
The company stressed that there is no evidence of these vulnerabilities being exploited in real attacks or incorporated into code through the supply chain.
IVANTI customers are advised to promptly apply the latest security updates to mitigate critical vulnerabilities. Regularly checking for updates, following cybersecurity best practices, conducting system audits, and having an incident response plan in place for swift action in the event of a breach are also emphasized