Ivanti has released software updates for address multiple security flaws affecting Endpoint Manager (EPM), including 10 critical vulnerabilities that could lead to remote code execution.
A brief description of the problems is as follows:
- CVE-2024-29847 (CVSS Score: 10.0) – Untrusted data deserialization vulnerability allows a remote, unauthenticated attacker to achieve code execution.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-32848. 2024-34785 (CVSS Score: 9.1) – Multiple unspecified SQL injection vulnerabilities that allow an attacker with authenticated administrator privileges to achieve remote code execution
The vulnerabilities affect EPM versions 2024 and 2022 SU5 and earlier, with fixes available in 2024 SU1 and 2022 SU6, respectively.
Ivanti said it hasn’t found any evidence of the flaws being used in the wild as a zero-day, but it’s critical that users update to the latest version to protect against potential threats.
Also, as part of the September update, seven serious flaws in the Ivanti workspace control (IWC) and Ivanti Cloud Service appliance (CSA).
The company said it has expanded its internal scanning, manual operation and testing capabilities, and made improvements to its responsible disclosure process to quickly identify and address potential issues.
“This has led to a surge in discoveries and disclosures,” the company said in a statement noted.
Development comes later extensive exploitation in the wild several zero days in Ivanti devices, including China-nexus cyber-espionage groups to hack interesting networks.
It also comes after Zyxel shipped fixes for a critical operating system (OS) command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in two network attached storage (NAS) devices.
“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute certain operating system (OS) commands by sending a crafted HTTP POST request,” the company said in a statement. said in the notice.
The security flaw has been fixed in the following versions –
- NAS326 (affects V5.21(AAZF.18)C0 and earlier) – Fixed in V5.21(AAZF.18)Hotfix-01
- NAS542 (affects V5.21(ABAG.15)C0 and earlier) – Fixed in V5.21(ABAG.15)Hotfix-01
