Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.
A brief description of the issues is as follows –
- CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – Multiple unspecified SQL injection vulnerabilities that allow a remote authenticated attacker with admin privileges to achieve code execution
The flaws impact EPM versions 2024 and 2022 SU5 and earlier, with fixes made available in versions 2024 SU1 and 2022 SU6, respectively.
Ivanti said it has found no evidence of the flaws being exploited in the wild as a zero-day, but it’s essential that users update to the latest version to safeguard against potential threats.
Also addressed as part of the September update are seven high-severity shortcomings in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA).
The company said it has ramped up its internal scanning, manual exploitation and testing capabilities, and that it made improvements to its responsible disclosure process to swiftly discover and address potential issues.
“This has caused a spike in discovery and disclosure,” the company noted.
The development comes in the aftermath of extensive in-the-wild exploitation of several zero-days in Ivanti appliances, including by China-nexus cyber espionage groups to breach networks of interest.
It also comes as Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two of its network-attached storage (NAS) devices.
“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request,” the company said in an alert.
The security hole has been addressed in the below versions –
- NAS326 (affects V5.21(AAZF.18)C0 and earlier) – Fixed in V5.21(AAZF.18)Hotfix-01
- NAS542 (affects V5.21(ABAG.15)C0 and earlier) – Fixed in V5.21(ABAG.15)Hotfix-01