Fortinet, Ivanti, and Nvidia on Tuesday announced security updates that address over a dozen high- and medium-severity vulnerabilities across their product portfolios.
Ivanti resolved two high-severity insufficient filename validation issues in Endpoint Manager (EPM) that could be exploited remotely, without authentication, to execute arbitrary code. The exploitation of both defects, however, require user interaction.
Additionally, the company announced patches for five high- and six medium-severity vulnerabilities in Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access.
The most severe of the security holes include a missing authorization issue leading to HTML5 connection hijacking, a CSRF bug leading to the unauthenticated execution of sensitive actions, and missing authorization flaws that allow attackers to configure authentication-related settings.
Patches were included in EPM versions 2024 SU3 SR 1 and 2022 SU8 SR 2, Connect Secure versions 22.7R2.9 and 22.8R2, Policy Secure version 22.7R1.5, ZTA Gateways version 22.8R2.3-723, and Neurons for Secure Access version 22.8R1.4.
“We have no evidence of any of these vulnerabilities being exploited in the wild,” Ivanti notes in its security update announcement.
Fortinet released fixes for a medium-severity OS command injection bug in FortiDDoS that could lead to code execution, and for a medium-severity path traversal flaw in FortiWeb leading to arbitrary file read.
Nvidia rolled out fixes for one high- and two medium-severity defects in the NVDebug tool that could allow attackers to access privileged accounts, write files to restricted components, or run code as non-privileged users.
The issues could be exploited for code execution, privilege escalation, denial-of-service (DoS), information disclosure, or data tampering, and were resolved in NVDebug tool version 1.7.0.
Neither Fortinet nor Nvidia make any mention of these vulnerabilities being exploited in the wild, but users are advised to update their applications as soon as possible.
Related: SAP Patches Critical NetWeaver Vulnerabilities
Related: ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories
Related: Two Exploited Vulnerabilities Patched in Android
Related: Tailoring Security Training to Specific Kinds of Threats
