Connect with us

Hi, what are you looking for?



Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager

Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager.

Ivanti vulnerability

IT software company Ivanti on Tuesday announced patches for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM).

Six out of the ten security defects resolved in EPM are critical-severity SQL Injection bugs that could allow an unauthenticated attacker on the network to execute arbitrary code, Ivanti says.

Tracked as CVE-2024-29822 through CVE-2024-29827, the bugs impact the Core server of Ivanti EPM 2022 SU5 and previous releases, and have a CVSS score of 9.6.

The software vendor released hot fixes for EPM 2022 SU5 and provided detailed instructions on how customers can update. Patches for the bugs will also be included in a future version of EPM.

The hot fixes resolve four other SQL injection vulnerabilities in EPM 2022 SU5 and prior releases that could also be exploited to execute arbitrary code from the network, without authentication. All four are rated ‘high severity’.

On Tuesday, Ivanti also announced patches for a high-severity unrestricted file upload bug in the web component of Ivanti Avalanche, that could allow attackers to execute code with System privileges.

“It is highly recommended to download the Avalanche installer and update to the latest Avalanche The installation will apply a fix for the single CVE but will also include previously released CVE fixes and security hardenings,” Ivanti notes.

Patches were rolled out for five other high-severity vulnerabilities as well: an SQL injection and an unrestricted file upload bug in Neurons for ITSM, a CRLF injection flaw in Connect Secure, and two local privilege escalation issues in the Secure Access client for Windows.

Advertisement. Scroll to continue reading.

Ivanti says it has no evidence of any of these vulnerabilities being exploited in attacks and underlines that no other products are affected by them.

On Tuesday, the company also reiterated its recently vowed commitment to improve security and vulnerability management practices.

“In April, we announced important security enhancements that will better enable us to anticipate, prevent, and protect against future threats. This commitment includes improvements to our vulnerability management program to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers,” Ivanti said.

Related: Ivanti Patches 27 Vulnerabilities in Avalanche MDM Product

Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Related: Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights