Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Ivanti has released patches for multiple vulnerabilities in Endpoint Manager (EPM), including four critical-severity flaws.

Ivanti vulnerability

Ivanti on Tuesday announced patches for multiple critical- and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM).

The most severe of the resolved flaws are four absolute path traversal issues in Ivanti EPM that could allow remote, unauthenticated attackers to leak sensitive information.

Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8), the bugs impact EMP versions 2024 and 2022 SU6 that have the November 2024 security update installed.

The EMP January-2025 security updates also resolve 12 high-severity defects that could lead to remote code execution (RCE), denial-of-service (DoS), and escalation of privilege. The DoS bugs and thee of the RCE flaws could be exploited remotely, without authentication.

Avalanche version 6.4.7 was released on Tuesday with fixes for three high-severity path traversal vulnerabilities that could be exploited by remote, unauthenticated attackers to bypass authentication and leak sensitive information.

The flaws are tracked as CVE-2024-13181, CVE-2024-13180, and CVE-2024-13179. The first two CVEs, Ivanti says, also address incomplete patches for CVE-2024-47010 and CVE-2024-47011, respectively, which were released in October 2024.

On Tuesday, Ivanti also announced fixes for a high-severity race condition issue in Application Control Engine that could allow attackers to bypass the application blocking functionality. Successful exploitation of the flaw requires authentication.

Ivanti recommends that all customers update their Application Control instances to versions 2024.3 HF1, 2024.1 HF4, and 2023.3 HF3. The company also warns that no fixes will be released for Application Control Module for Security Controls, and recommends migrating to Application Control or Neurons for App Control.

Advertisement. Scroll to continue reading.

“We have no evidence of any of these vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti products,” Ivanti notes.

Organizations are advised to update their Ivanti products as soon as possible. Threat actors are known to have exploited Ivanti vulnerabilities in their attacks.

Related: Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation

Related: Ivanti Patches Critical Flaws in Connect Secure, Cloud Services Application

Related: Ivanti Patches 50 Vulnerabilities Across Several Products

Related: Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.