Ivanti has mounted a most severity vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers achieve distant code execution on the core server.
Ivanti EPM helps admins handle consumer units that run varied platforms, together with Home windows, macOS, Chrome OS, and IoT working methods.
The safety flaw (CVE-2024-29847) is attributable to a deserialization of untrusted information weak point within the agent portal that has been addressed in Ivanti EPM 2024 sizzling patches and Ivanti EPM 2022 Service Replace 6 (SU6).
“Profitable exploitation might result in unauthorized entry to the EPM core server,” the corporate mentioned in an advisory revealed immediately.
For the second, Ivanti added that they are “not conscious of any clients being exploited by these vulnerabilities on the time of disclosure. At the moment, there is no such thing as a identified public exploitation of this vulnerability that could possibly be used to supply a listing of indicators of compromise.”
Right now, it additionally mounted virtually two dozen extra excessive and demanding severity flaws in Ivanti EPM, Workspace Management (IWC), and Cloud Service Equipment (CSA) that have not been exploited within the wild earlier than being patched.
In January, the corporate patched an analogous RCE vulnerability (CVE-2023-39336) in Ivanti EPM that could possibly be exploited to entry the core server or hijack enrolled units.
Rise in mounted flaws as a result of safety enhancements
Ivanti mentioned it had escalated inner scanning, handbook exploitation, and testing capabilities in latest months whereas additionally engaged on bettering its accountable disclosure course of to deal with potential points quicker.
“This has prompted a spike in discovery and disclosure, and we agree with CISAs assertion that the accountable discovery and disclosure of CVEs is ‘an indication of wholesome code evaluation and testing neighborhood,'” Ivanti mentioned.
This assertion follows intensive in-the-wild exploitation of a number of Ivanti zero-days lately. For example, Ivanti VPN home equipment have been focused since December 2023 utilizing exploits chaining the CVE-2024-21887 command injection and the CVE-2023-46805 authentication bypass flaws as zero days.
The corporate additionally warned of a 3rd zero-day (a server-side request forgery bug now tracked as CVE-2024-21893) underneath mass exploitation in February, permitting attackers to bypass authentication on weak ICS, IPS, and ZTA gateways.
Ivanti says it has over 7,000 companions worldwide, and over 40,000 corporations use its merchandise to handle their IT belongings and methods.