Ivanti on Tuesday announced patches for multiple critical- and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM).
The most severe of the resolved flaws are four absolute path traversal issues in Ivanti EPM that could allow remote, unauthenticated attackers to leak sensitive information.
Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8), the bugs impact EMP versions 2024 and 2022 SU6 that have the November 2024 security update installed.
The EMP January-2025 security updates also resolve 12 high-severity defects that could lead to remote code execution (RCE), denial-of-service (DoS), and escalation of privilege. The DoS bugs and thee of the RCE flaws could be exploited remotely, without authentication.
Avalanche version 6.4.7 was released on Tuesday with fixes for three high-severity path traversal vulnerabilities that could be exploited by remote, unauthenticated attackers to bypass authentication and leak sensitive information.
The flaws are tracked as CVE-2024-13181, CVE-2024-13180, and CVE-2024-13179. The first two CVEs, Ivanti says, also address incomplete patches for CVE-2024-47010 and CVE-2024-47011, respectively, which were released in October 2024.
On Tuesday, Ivanti also announced fixes for a high-severity race condition issue in Application Control Engine that could allow attackers to bypass the application blocking functionality. Successful exploitation of the flaw requires authentication.
Ivanti recommends that all customers update their Application Control instances to versions 2024.3 HF1, 2024.1 HF4, and 2023.3 HF3. The company also warns that no fixes will be released for Application Control Module for Security Controls, and recommends migrating to Application Control or Neurons for App Control.
“We have no evidence of any of these vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti products,” Ivanti notes.
Organizations are advised to update their Ivanti products as soon as possible. Threat actors are known to have exploited Ivanti vulnerabilities in their attacks.
Related: Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation
Related: Ivanti Patches Critical Flaws in Connect Secure, Cloud Services Application
Related: Ivanti Patches 50 Vulnerabilities Across Several Products
Related: Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product
