IT software company Ivanti on Tuesday announced patches for close to 50 vulnerabilities, including eight critical-severity bugs in Connect Secure, Policy Secure, and Endpoint Manager.
The critical issues, tracked as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 to CVE-2024-39712, and CVE-2024-11005 to CVE-2024-11007, are described as argument and command injection flaws that could allow authenticated attackers with administrator privileges to achieve remote code execution (RCE).
Ivanti patched these bugs in Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2, which also include fixes for eight high-severity and two medium-severity bugs that could lead to privilege escalation, denial-of-service (DoS) conditions, and RCE.
The company’s advisory also draws attention to five high-severity and two medium-severity vulnerabilities in Secure Access Client that could be exploited to escalate privileges, tamper with sensitive configuration files, arbitrary folder creation, and DoS conditions.
Ivanti announced that fixes for all seven security defects were included in Secure Access Client version 22.7R4.
On Tuesday, Ivanti also released patches for multiple vulnerabilities in Endpoint Manager, including a critical-severity issue that could be exploited remotely, without authentication, to execute arbitrary code.
Tracked as CVE-2024-50330 (CVSS score of 9.8) and described as an SQL injection, the bug was reported by Piotr Bazydlo of Trend Micro Zero Day Initiative.
Ivanti patched the security defect and 17 high-severity RCE flaws with the release of Endpoint Manager versions 2024 November Security Update and 2022 SU6 November Security Update.
Additionally, the company announced fixes for six high-severity issues in Avalanche that could allow an unauthenticated attacker to cause a DoS condition or read sensitive information in memory. Ivanti Avalanche version 6.4.6 resolves all six bugs.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti notes for all three products. Additional information can be found in the company’s November advisory.
Related: Citrix, Fortinet Patch High-Severity Vulnerabilities
Related: SAP Patches High-Severity Vulnerability in Web Dispatcher
Related: Google Says Its AI Found SQLite Vulnerability That Fuzzing Missed
Related: Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops