Ivanti has addressed a critical vulnerability in its Endpoint Management software (EPM), which could allow unauthenticated attackers to execute remote code on the core server.
Ivanti EPM supports administrators in managing client devices running various platforms, such as Windows, macOS, Chrome OS, and IoT systems.
The security issue, identified as CVE-2024-29847, stems from a deserialization vulnerability in the agent portal. This flaw has been resolved in Ivanti EPM 2024 hot patches and EPM 2022 Service Update 6 (SU6).
“Successful exploitation could result in unauthorized access to the EPM core server,” Ivanti noted in an advisory released today.
The company also stated that, at the time of disclosure, they were “not aware of any customers being exploited by these vulnerabilities” and that no known public exploitation had occurred, meaning there are no current indicators of compromise.
Additionally, Ivanti has fixed nearly two dozen other high and critical severity flaws in EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA), none of which had been exploited in the wild prior to being patched.
Earlier, in January, Ivanti patched a similar RCE vulnerability (CVE-2023-39336) in EPM, which could have been exploited to gain access to the core server or compromise enrolled devices.
Rise in fixed flaws due to security improvements
Ivanti announced that it has increased its internal scanning, manual exploitation, and testing efforts in recent months, while also focusing on enhancing its responsible disclosure process to address vulnerabilities more swiftly.
“This has led to a rise in vulnerability discovery and disclosure. We align with CISA’s statement that responsible identification and disclosure of CVEs is ‘a sign of a healthy code analysis and testing community,’” Ivanti stated.
This follows the widespread exploitation of several Ivanti zero-day vulnerabilities in recent years. Since December 2023, Ivanti VPN appliances have been targeted by attackers using exploits that chain the CVE-2024-21887 command injection and CVE-2023-46805 authentication bypass flaws.
The company also warned of a third zero-day vulnerability, a server-side request forgery bug (CVE-2024-21893), which came under mass exploitation in February, allowing attackers to bypass authentication on vulnerable ICS, IPS, and ZTA gateways.
Ivanti reports that over 7,000 partners and more than 40,000 companies globally use its products to manage IT assets and systems.
Source: BleepingComputer, Sergiu Gatlan
