Ivanti has launched software program updates to handle a number of security flaws impacting Endpoint Supervisor (EPM), together with 10 vital vulnerabilities that would lead to distant code execution.
A short description of the problems is as follows –
- CVE-2024-29847 (CVSS rating: 10.0) – A deserialization of untrusted information vulnerability that enables a distant unauthenticated attacker to attain code execution.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS scores: 9.1) – A number of unspecified SQL injection vulnerabilities that enable a distant authenticated attacker with admin privileges to attain distant code execution
The failings impression EPM variations 2024 and 2022 SU5 and earlier, with fixes made obtainable in variations 2024 SU1 and 2022 SU6, respectively.
Ivanti mentioned it has discovered no proof of the failings being exploited within the wild as a zero-day, however it’s important that customers replace to the newest model to safeguard towards potential threats.
Additionally addressed as a part of the September replace are seven high-severity shortcomings in Ivanti Workspace Management (IWC) and Ivanti Cloud Service Equipment (CSA).
The corporate mentioned it has ramped up its inner scanning, guide exploitation and testing capabilities, and that it made enhancements to its accountable disclosure course of to swiftly uncover and tackle potential points.
“This has brought on a spike in discovery and disclosure,” the corporate famous.
The event comes within the aftermath of intensive in-the-wild exploitation of a number of zero-days in Ivanti home equipment, together with by China-nexus cyber espionage teams to breach networks of curiosity.
It additionally comes as Zyxel shipped fixes for a vital working system (OS) command injection vulnerability (CVE-2024-6342, CVSS rating: 9.8) in two of its network-attached storage (NAS) units.
“A command injection vulnerability within the export-cgi program of Zyxel NAS326 and NAS542 units might enable an unauthenticated attacker to execute some working system (OS) instructions by sending a crafted HTTP POST request,” the corporate mentioned in an alert.
The security gap has been addressed within the beneath variations –
- NAS326 (impacts V5.21(AAZF.18)C0 and earlier) – Fastened in V5.21(AAZF.18)Hotfix-01
- NAS542 (impacts V5.21(ABAG.15)C0 and earlier) – Fastened in V5.21(ABAG.15)Hotfix-01