CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ivanti Patches 50 Vulnerabilities Across Several Products

Ivanti has released fixes for dozens of vulnerabilities in Endpoint Manager, Avalanche, Connect Secure, Policy Secure, and Secure Access Client.

Ivanti vulnerability

IT software company Ivanti on Tuesday announced patches for close to 50 vulnerabilities, including eight critical-severity bugs in Connect Secure, Policy Secure, and Endpoint Manager.

The critical issues, tracked as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 to CVE-2024-39712, and CVE-2024-11005 to CVE-2024-11007, are described as argument and command injection flaws that could allow authenticated attackers with administrator privileges to achieve remote code execution (RCE).

Ivanti patched these bugs in Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2, which also include fixes for eight high-severity and two medium-severity bugs that could lead to privilege escalation, denial-of-service (DoS) conditions, and RCE.

The company’s advisory also draws attention to five high-severity and two medium-severity vulnerabilities in Secure Access Client that could be exploited to escalate privileges, tamper with sensitive configuration files, arbitrary folder creation, and DoS conditions.

Ivanti announced that fixes for all seven security defects were included in Secure Access Client version 22.7R4.

On Tuesday, Ivanti also released patches for multiple vulnerabilities in Endpoint Manager, including a critical-severity issue that could be exploited remotely, without authentication, to execute arbitrary code.

Tracked as CVE-2024-50330 (CVSS score of 9.8) and described as an SQL injection, the bug was reported by Piotr Bazydlo of Trend Micro Zero Day Initiative.

Ivanti patched the security defect and 17 high-severity RCE flaws with the release of Endpoint Manager versions 2024 November Security Update and 2022 SU6 November Security Update.

Advertisement. Scroll to continue reading.

Additionally, the company announced fixes for six high-severity issues in Avalanche that could allow an unauthenticated attacker to cause a DoS condition or read sensitive information in memory. Ivanti Avalanche version 6.4.6 resolves all six bugs.

“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti notes for all three products. Additional information can be found in the company’s November advisory.

Related: Citrix, Fortinet Patch High-Severity Vulnerabilities

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Related: Google Says Its AI Found SQLite Vulnerability That Fuzzing Missed

Related: Lenovo Working on Patches for BIOS Vulnerabilities Affecting Many Laptops

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.