Ivanti has issued critical security updates for its Endpoint Manager (EPM) to address several high-severity vulnerabilities that pose significant risks to users. The updates specifically target ten severe flaws, including CVE-2024-29847, which has been assigned a CVSS score of 10.0. This vulnerability involves the deserialization of untrusted data, allowing remote unauthenticated attackers to execute arbitrary code on systems affected by this issue. Additionally, the updates address multiple SQL injection vulnerabilities, such as CVE-2024-32840 and others, each with a CVSS score of 9.1. These SQL injection flaws enable remote authenticated attackers with administrative privileges to execute code remotely, further compromising the security of the affected systems.
The vulnerabilities impact EPM versions 2024 and 2022 SU5 and earlier. To mitigate these risks, Ivanti has released fixes in EPM versions 2024 SU1 and 2022 SU6. Although there is no evidence suggesting that these vulnerabilities have been actively exploited as zero-day attacks, Ivanti stresses the importance of updating to the latest versions. By doing so, users can protect themselves against potential threats that may emerge in the future. The company’s prompt action in addressing these vulnerabilities highlights its commitment to maintaining robust security and protecting its users from evolving threats.
In addition to the Endpoint Manager updates, Ivanti has also released patches for seven high-severity vulnerabilities in Ivanti Workspace Control and Ivanti Cloud Service Appliance. These updates reflect Ivanti’s broader efforts to enhance its internal security measures. The company has significantly improved its internal scanning, manual exploitation, and testing capabilities. Furthermore, Ivanti has refined its responsible disclosure process to expedite the discovery and remediation of vulnerabilities. This proactive approach is part of a larger strategy to address the growing number of security threats and ensure the safety and integrity of its products.
Reference:
