Ivanti Patches Critical Flaws in Endpoint Manager, Other Products

On May 21, Ivanti released updates to address numerous critical vulnerabilities in products such as Endpoint Manager, Avalanche, Neurons for ITSM, Connect Secure, and Secure Access. In total, 16 vulnerabilities were patched, which we will briefly review below.

Among the ten identified vulnerabilities in Endpoint Manager, six are related to SQL injection (CVE-2024-29822, CVE-2024-29823, CVE-2024-29824, CVE-2024-29825, CVE-2024-29826, CVE-2024-29827). These vulnerabilities have a CVSS score of 9.6 and allow an unauthenticated attacker on the same network to execute arbitrary code.

The remaining four vulnerabilities in Endpoint Manager (CVE-2024-29828, CVE-2024-29829, CVE-2024-29830, CVE-2024-29846) require the attacker to be authenticated but also enable arbitrary code execution. These flaws have a CVSS score of 8.4 and affect Ivanti EPM 2022 SU5 Core server and earlier versions.

In Ivanti Avalanche client version, the company addressed a critical vulnerability (CVE-2024-29848, CVSS 7.2) that allows hackers to remotely execute code by uploading a specially crafted file.

Ivanti also released patches for five other high-risk vulnerabilities: an SQL injection (CVE-2024-22059, CVSS 8.8) and an unrestricted file upload flaw (CVE-2024-22060, CVSS 8.7) in Ivanti Neurons for ITSM, a CRLF injection in Ivanti Connect Secure (CVE-2023-38551, CVSS 8.2), and two local privilege escalation vulnerabilities in Ivanti Secure Access: CVE-2023-38042, CVSS 7.8 (affecting Windows) and CVE-2023-46810, CVSS 7.3 (affecting Linux).

The company emphasized that there is no evidence of these vulnerabilities being exploited in real-world attacks or being introduced into the code development process through the supply chain.

Ivanti customers are urged to promptly install the latest security patches to mitigate these critical vulnerabilities. It is also essential to regularly check for updates, adhere to cybersecurity best practices, audit systems and processes, and have an incident response plan in place for quick action in the event of a breach.