Ivanti has rolled out security updates to deal with a number of security flaws impacting Avalanche, Software Management Engine, and Endpoint Supervisor (EPM), together with 4 essential bugs that would result in data disclosure.
All of the 4 essential security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that enable a distant unauthenticated attacker to leak delicate data. The failings are listed under –
- CVE-2024-10811
- CVE-2024-13161
- CVE-2024-13160, and
- CVE-2024-13159
The shortcomings have an effect on EPM variations 2024 November security replace and prior, and 2022 SU6 November security replace and prior. They’ve been addressed in EPM 2024 January-2025 Safety Replace and EPM 2022 SU6 January-2025 Safety Replace.
Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all vulnerabilities in query.
Additionally patched by Ivanti are a number of high-severity bugs in Avalanche variations prior to six.4.7 and Software Management Engine earlier than model 10.14.4.0 that would allow an attacker to bypass authentication, leak delicate data, and get across the utility blocking performance.
The corporate mentioned it has no proof that any of the failings are being exploited within the wild, and that it has intensified its inner scanning and testing procedures to promptly flag and deal with security points.
The event comes as SAP launched fixes to resolve two essential vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9) that enables an authenticated attacker to take advantage of improper authentication checks in an effort to escalate privileges and entry restricted data because of weak entry controls.
“SAP strongly recommends that the client visits the Assist Portal and applies patches on precedence to guard their SAP panorama,” the corporate mentioned in its January 2025 bulletin.
