Home Security Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities

by


Sep 11, 2024Ravie LakshmananEnterprise Security / Vulnerability

Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.

A brief description of the issues is as follows –

  • CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
  • CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve remote code execution

The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively.

Cybersecurity

Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it’s essential that users update to the latest version to safeguard against potential threats.

Also addressed as part of the September update are seven high-severity shortcomings in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).

The company said it has ramped up its internal scanning, manual exploitation and testing capabilities, and that it made improvements to its responsible disclosure process to swiftly discover and address potential issues.

“This has caused a spike in discovery and disclosure,” the company noted.

The development comes in the aftermath of extensive in-the-wild exploitation of several zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.

It also comes as Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two of its network-attached storage (NAS) devices.

“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request,” the company said in an alert.

Cybersecurity

The security hole has been addressed in the below versions –

  • NAS326 (affects V5.21(AAZF.18)C0 and earlier) – Fixed in V5.21(AAZF.18)Hotfix-01
  • NAS542 (affects V5.21(ABAG.15)C0 and earlier) – Fixed in V5.21(ABAG.15)Hotfix-01

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex