Ivanti has fastened a most severity vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers achieve distant code execution on the core server.
Ivanti EPM helps admins handle consumer gadgets that run numerous platforms, together with Home windows, macOS, Chrome OS, and IoT working techniques.
The safety flaw (CVE-2024-29847) is attributable to a deserialization of untrusted knowledge weak spot within the agent portal that has been addressed in Ivanti EPM 2024 sizzling patches and Ivanti EPM 2022 Service Replace 6 (SU6).
“Profitable exploitation may result in unauthorized entry to the EPM core server,” the corporate stated in an advisory revealed right now.
For the second, Ivanti added that they are “not conscious of any clients being exploited by these vulnerabilities on the time of disclosure. At present, there isn’t any identified public exploitation of this vulnerability that might be used to offer a listing of indicators of compromise.”
Right this moment, it additionally fastened nearly two dozen extra excessive and demanding severity flaws in Ivanti EPM, Workspace Management (IWC), and Cloud Service Equipment (CSA) that have not been exploited within the wild earlier than being patched.
In January, the corporate patched an identical RCE vulnerability (CVE-2023-39336) in Ivanti EPM that might be exploited to entry the core server or hijack enrolled gadgets.
Rise in fastened flaws as a result of safety enhancements
Ivanti stated it had escalated inside scanning, guide exploitation, and testing capabilities in latest months whereas additionally engaged on enhancing its accountable disclosure course of to deal with potential points quicker.
“This has triggered a spike in discovery and disclosure, and we agree with CISAs assertion that the accountable discovery and disclosure of CVEs is ‘an indication of wholesome code evaluation and testing group,'” Ivanti stated.
This assertion follows intensive in-the-wild exploitation of a number of Ivanti zero-days lately. For example, Ivanti VPN home equipment have been focused since December 2023 utilizing exploits chaining the CVE-2024-21887 command injection and the CVE-2023-46805 authentication bypass flaws as zero days.
The corporate additionally warned of a 3rd zero-day (a server-side request forgery bug now tracked as CVE-2024-21893) beneath mass exploitation in February, permitting attackers to bypass authentication on susceptible ICS, IPS, and ZTA gateways.
Ivanti says it has over 7,000 companions worldwide, and over 40,000 firms use its merchandise to handle their IT property and techniques.