Ivanti has rolled out safety updates to handle a number of safety flaws impacting Avalanche, Software Management Engine, and Endpoint Supervisor (EPM), together with 4 essential bugs that might result in info disclosure.
All of the 4 essential safety flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that permit a distant unauthenticated attacker to leak delicate info. The issues are listed beneath –
- CVE-2024-10811
- CVE-2024-13161
- CVE-2024-13160, and
- CVE-2024-13159
The shortcomings have an effect on EPM variations 2024 November safety replace and prior, and 2022 SU6 November safety replace and prior. They’ve been addressed in EPM 2024 January-2025 Safety Replace and EPM 2022 SU6 January-2025 Safety Replace.
Horizon3.ai safety researcher Zach Hanley has been credited with discovering and reporting all vulnerabilities in query.
Additionally patched by Ivanti are a number of high-severity bugs in Avalanche variations prior to six.4.7 and Software Management Engine earlier than model 10.14.4.0 that might allow an attacker to bypass authentication, leak delicate info, and get across the software blocking performance.
The corporate mentioned it has no proof that any of the failings are being exploited within the wild, and that it has intensified its inner scanning and testing procedures to promptly flag and handle safety points.
The event comes as SAP launched fixes to resolve two essential vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9) that enables an authenticated attacker to use improper authentication checks with the intention to escalate privileges and entry restricted info as a result of weak entry controls.
“SAP strongly recommends that the shopper visits the Assist Portal and applies patches on precedence to guard their SAP panorama,” the corporate mentioned in its January 2025 bulletin.
