IT software company Ivanti on Tuesday announced patches for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM).
Six out of the ten security defects resolved in EPM are critical-severity SQL Injection bugs that could allow an unauthenticated attacker on the network to execute arbitrary code, Ivanti says.
Tracked as CVE-2024-29822 through CVE-2024-29827, the bugs impact the Core server of Ivanti EPM 2022 SU5 and previous releases, and have a CVSS score of 9.6.
The software vendor released hot fixes for EPM 2022 SU5 and provided detailed instructions on how customers can update. Patches for the bugs will also be included in a future version of EPM.
The hot fixes resolve four other SQL injection vulnerabilities in EPM 2022 SU5 and prior releases that could also be exploited to execute arbitrary code from the network, without authentication. All four are rated ‘high severity’.
On Tuesday, Ivanti also announced patches for a high-severity unrestricted file upload bug in the web component of Ivanti Avalanche, that could allow attackers to execute code with System privileges.
“It is highly recommended to download the Avalanche installer and update to the latest Avalanche 6.4.3.602. The installation will apply a fix for the single CVE but will also include previously released CVE fixes and security hardenings,” Ivanti notes.
Patches were rolled out for five other high-severity vulnerabilities as well: an SQL injection and an unrestricted file upload bug in Neurons for ITSM, a CRLF injection flaw in Connect Secure, and two local privilege escalation issues in the Secure Access client for Windows.
Ivanti says it has no evidence of any of these vulnerabilities being exploited in attacks and underlines that no other products are affected by them.
On Tuesday, the company also reiterated its recently vowed commitment to improve security and vulnerability management practices.
“In April, we announced important security enhancements that will better enable us to anticipate, prevent, and protect against future threats. This commitment includes improvements to our vulnerability management program to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers,” Ivanti said.
Related: Ivanti Patches 27 Vulnerabilities in Avalanche MDM Product
Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability
Related: Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM
