Ivanti has rolled out security updates to address several security vulnerabilities affecting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical vulnerabilities that could lead to information disclosure.
All four critical vulnerabilities, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM and involve absolute path traversal flaws that allow a remote, unauthenticated attacker to exfiltrate sensitive information. Disadvantages are listed below –
- CVE-2024-10811
- CVE-2024-13161
- CVE-2024-13160 and
- CVE-2024-13159
The vulnerabilities affect EPM versions of the November 2024 security update. and earlier, as well as the SU6 November 2022 security update. and earlier. These were addressed in the EPM 2024 Security Update Jan-2025 and the EPM 2022 SU6 Security Update Jan-2025.
Horizon3.ai security researcher Zach Hanley is credited with discovering and reporting all of the vulnerabilities in question.
Ivanti also fixed several high-severity bugs in Avalanche versions prior to 6.4.7 and Application Control Engine prior to 10.14.4.0 that could allow an attacker to bypass authentication, leak sensitive information, and bypass application locking functionality.
The company said it has no evidence that any of the flaws are being exploited in the wild, and that it has strengthened its internal scanning and testing procedures to promptly flag and address security issues.
The development comes after SAP released patches to address two critical vulnerabilities in NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS Score: 9.9) that allow an authenticated attacker , use incorrect authentication checks in order to elevate privileges and access to information with limited access due to weak access control.
“SAP strongly encourages the customer to visit Support portal and applies patches as a priority to protect its SAP landscape,” the company said in its January 2025 newsletter.
