Ivanti has launched tool updates to handle a couple of safety flaws impacting Endpoint Supervisor (EPM), together with 10 crucial vulnerabilities that would lead to far off code execution.
A short lived description of the problems is as follows –
- CVE-2024-29847 (CVSS ranking: 10.0) – A deserialization of untrusted knowledge vulnerability that permits a far off unauthenticated attacker to succeed in code execution.
- CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785 (CVSS ratings: 9.1) – A couple of unspecified SQL injection vulnerabilities that let a far off authenticated attacker with admin privileges to succeed in far off code execution
The failings have an effect on EPM variations 2024 and 2022 SU5 and previous, with fixes made to be had in variations 2024 SU1 and 2022 SU6, respectively.
Ivanti stated it has discovered no proof of the issues being exploited within the wild as a zero-day, however you want to that customers replace to the most recent model to safeguard in opposition to doable threats.
Additionally addressed as a part of the September replace are seven high-severity shortcomings in Ivanti Workspace Keep watch over (IWC) and Ivanti Cloud Provider Equipment (CSA).
The corporate stated it has ramped up its inner scanning, guide exploitation and checking out features, and that it made enhancements to its accountable disclosure procedure to abruptly uncover and deal with doable problems.
“This has brought about a spike in discovery and disclosure,” the corporate famous.
The advance comes within the aftermath of intensive in-the-wild exploitation of a number of zero-days in Ivanti home equipment, together with by means of China-nexus cyber espionage teams to breach networks of pastime.
It additionally comes as Zyxel shipped fixes for a crucial running device (OS) command injection vulnerability (CVE-2024-6342, CVSS ranking: 9.8) in two of its network-attached garage (NAS) gadgets.
“A command injection vulnerability within the export-cgi program of Zyxel NAS326 and NAS542 gadgets may permit an unauthenticated attacker to execute some running device (OS) instructions by means of sending a crafted HTTP POST request,” the corporate stated in an alert.
The safety hollow has been addressed within the under variations –
- NAS326 (impacts V5.21(AAZF.18)C0 and previous) – Mounted in V5.21(AAZF.18)Hotfix-01
- NAS542 (impacts V5.21(ABAG.15)C0 and previous) – Mounted in V5.21(ABAG.15)Hotfix-01