Ivanti has rolled out safety updates to handle a number of safety flaws impacting Avalanche, Software Management Engine, and Endpoint Supervisor (EPM), together with 4 important bugs that might result in info disclosure.
All of the 4 important safety flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that permit a distant unauthenticated attacker to leak delicate info. The issues are listed under –
- CVE-2024-10811
- CVE-2024-13161
- CVE-2024-13160, and
- CVE-2024-13159
The shortcomings have an effect on EPM variations 2024 November safety replace and prior, and 2022 SU6 November safety replace and prior. They’ve been addressed in EPM 2024 January-2025 Safety Replace and EPM 2022 SU6 January-2025 Safety Replace.
Horizon3.ai safety researcher Zach Hanley has been credited with discovering and reporting all vulnerabilities in query.
Additionally patched by Ivanti are a number of high-severity bugs in Avalanche variations prior to six.4.7 and Software Management Engine earlier than model 10.14.4.0 that might allow an attacker to bypass authentication, leak delicate info, and get across the utility blocking performance.
The corporate stated it has no proof that any of the failings are being exploited within the wild, and that it has intensified its inner scanning and testing procedures to promptly flag and deal with safety points.
The event comes as SAP launched fixes to resolve two important vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9) that permits an authenticated attacker to take advantage of improper authentication checks with a purpose to escalate privileges and entry restricted info resulting from weak entry controls.
“SAP strongly recommends that the shopper visits the Help Portal and applies patches on precedence to guard their SAP panorama,” the corporate stated in its January 2025 bulletin.