Ivanti has recently released crucial software updates to address several security flaws affecting Endpoint Manager (EPM). These include 10 critical vulnerabilities that pose a significant risk of remote code execution.
Here’s a brief overview of the identified issues:
- CVE-2024-29847 (CVSS score: 10.0) – A crucial deserialization vulnerability that enables remote unauthenticated attackers to execute malicious code.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – Multiple unspecified SQL injection flaws that allow remote authenticated attackers with admin privileges to achieve remote code execution.
These vulnerabilities impact EPM versions 2024 and 2022 SU5 and earlier, with fixes available in versions 2024 SU1 and 2022 SU6, respectively.
Ivanti has emphasized that there have been no reports of these vulnerabilities being exploited in the wild as zero-day threats. However, users are strongly advised to update to the latest versions to protect against potential security risks.
Additionally, the September update also addresses seven high-severity vulnerabilities in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).
The company has enhanced its internal scanning capabilities, manual exploitation, and testing processes. There have been improvements made to the responsible disclosure mechanisms to swiftly identify and rectify any potential security issues.
“This has led to a significant increase in the discovery and disclosure of vulnerabilities,” noted the company.
These developments come on the heels of widespread exploitation of zero-day vulnerabilities in Ivanti appliances by various threat actors, including state-sponsored cyber espionage groups.
Meanwhile, Zyxel has released patches for a critical operating system command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) found in two of its network-attached storage (NAS) devices.
“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system commands by sending a crafted HTTP POST request,” said the company in a security alert.
The security vulnerability has been patched in the following versions:
- NAS326 (affects V5.21(AAZF.18)C0 and earlier) – Fixed in V5.21(AAZF.18)Hotfix-01
- NAS542 (affects V5.21(ABAG.15)C0 and earlier) – Fixed in V5.21(ABAG.15)Hotfix-01