Ivanti has issued a security advisory addressing multiple critical and high-severity vulnerabilities in its Endpoint Manager (EPM) software. These flaws, if exploited, could allow attackers to gain unauthorized access, execute remote code, or escalate privileges, posing a serious risk to enterprise systems.
The most severe vulnerabilities are four absolute path traversal flaws, CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159, each with a CVSS score of 9.8 (Critical). These vulnerabilities could allow a remote, unauthenticated attacker to leak sensitive information.
Other vulnerabilities include:
- An unbounded resource search path that could allow remote code execution (CVE-2024-13158, CVSS Score: 7.2)
- Improper signature verification that could allow remote code execution (CVE-2024-13172, CVE-2024-13171, CVSS Score: 7.8)
- An out-of-bounds write that could allow a denial-of-service condition (CVE-2024-13169, CVE-2024-13168, CVE-2024-13167, CVE-2024-13166, CVE-2024-13165, CVSS Score: 7.5, 7.8)
- An out-of-bounds read that could allow privilege escalation (CVE-2024-13170, CVSS Score: 7.5)
- An uninitialized resource that could allow privilege escalation (CVE-2024-13164, CVSS Score: 7.8)
- Deserialization of untrusted data that could allow remote code execution (CVE-2024-13163, CVSS Score: 7.8)
- SQL injection that could allow remote code execution (CVE-2024-13162, CVSS Score: 7.2)
“We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” the company wrote.
Ivanti has released hot patches for EPM 2024 and EPM 2022 SU6 to address these vulnerabilities. The company urges all customers to apply the patches as soon as possible.
The Ivanti security advisory provides detailed instructions on how to download and apply the patches.
