Ivanti has mounted a most severity vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers achieve distant code execution on the core server.
Ivanti EPM helps admins handle consumer gadgets that run numerous platforms, together with Home windows, macOS, Chrome OS, and IoT working methods.
The safety flaw (CVE-2024-29847) is brought on by a deserialization of untrusted information weak spot within the agent portal that has been addressed in Ivanti EPM 2024 scorching patches and Ivanti EPM 2022 Service Replace 6 (SU6).
“Profitable exploitation may result in unauthorized entry to the EPM core server,” the corporate stated in an advisory revealed right now.
For the second, Ivanti added that they are “not conscious of any prospects being exploited by these vulnerabilities on the time of disclosure. At present, there is no such thing as a recognized public exploitation of this vulnerability that may very well be used to supply a listing of indicators of compromise.”
At the moment, it additionally mounted nearly two dozen extra excessive and significant severity flaws in Ivanti EPM, Workspace Management (IWC), and Cloud Service Equipment (CSA) that have not been exploited within the wild earlier than being patched.
In January, the corporate patched the same RCE vulnerability (CVE-2023-39336) in Ivanti EPM that may very well be exploited to entry the core server or hijack enrolled gadgets.
Rise in mounted flaws because of safety enhancements
Ivanti stated it had escalated inner scanning, guide exploitation, and testing capabilities in latest months whereas additionally engaged on enhancing its accountable disclosure course of to deal with potential points quicker.
“This has induced a spike in discovery and disclosure, and we agree with CISAs assertion that the accountable discovery and disclosure of CVEs is ‘an indication of wholesome code evaluation and testing neighborhood,'” Ivanti stated.
This assertion follows intensive in-the-wild exploitation of a number of Ivanti zero-days lately. As an illustration, Ivanti VPN home equipment have been focused since December 2023 utilizing exploits chaining the CVE-2024-21887 command injection and the CVE-2023-46805 authentication bypass flaws as zero days.
The corporate additionally warned of a 3rd zero-day (a server-side request forgery bug now tracked as CVE-2024-21893) below mass exploitation in February, permitting attackers to bypass authentication on susceptible ICS, IPS, and ZTA gateways.
Ivanti says it has over 7,000 companions worldwide, and over 40,000 corporations use its merchandise to handle their IT property and methods.