Ivanti has launched software program updates to deal with a number of safety flaws impacting Endpoint Supervisor (EPM), together with 10 vital vulnerabilities that would end in distant code execution.
A quick description of the problems is as follows –
- CVE-2024-29847 (CVSS rating: 10.0) – A deserialization of untrusted information vulnerability that enables a distant unauthenticated attacker to attain code execution.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – A number of unspecified SQL injection vulnerabilities that permit a distant authenticated attacker with admin privileges to attain distant code execution
The issues impression EPM variations 2024 and 2022 SU5 and earlier, with fixes made accessible in variations 2024 SU1 and 2022 SU6, respectively.
Ivanti mentioned it has discovered no proof of the failings being exploited within the wild as a zero-day, nevertheless it’s important that customers replace to the most recent model to safeguard in opposition to potential threats.
Additionally addressed as a part of the September replace are seven high-severity shortcomings in Ivanti Workspace Management (IWC) and Ivanti Cloud Service Equipment (CSA).
The corporate mentioned it has ramped up its inner scanning, handbook exploitation and testing capabilities, and that it made enhancements to its accountable disclosure course of to swiftly uncover and deal with potential points.
“This has caused a spike in discovery and disclosure,” the corporate famous.
The event comes within the aftermath of intensive in-the-wild exploitation of a number of zero-days in Ivanti home equipment, together with by China-nexus cyber espionage teams to breach networks of curiosity.
It additionally comes as Zyxel shipped fixes for a vital working system (OS) command injection vulnerability (CVE-2024-6342, CVSS rating: 9.8) in two of its network-attached storage (NAS) units.
“A command injection vulnerability in the export-cgi program of Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request,” the corporate mentioned in an alert.
The safety gap has been addressed within the under variations –
- NAS326 (impacts V5.21(AAZF.18)C0 and earlier) – Fastened in V5.21(AAZF.18)Hotfix-01
- NAS542 (impacts V5.21(ABAG.15)C0 and earlier) – Fastened in V5.21(ABAG.15)Hotfix-01