Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager


Ivanti has released patches for multiple critical vulnerabilities in Endpoint Manager (EPM) and other products, addressing six unauthenticated SQL injection flaws (CVE-2024-29822 to CVE-2024-29827) and four authenticated ones (CVE-2024-29828 to CVE-2024-29830, CVE-2024-29846) in EPM, as well as a remote code execution flaw in Avalanche (CVE-2024-29848). Additional fixes include an SQL injection and file upload flaw in Neurons for ITSM, a CRLF injection in Connect Secure, and privilege escalation issues in Secure Access client. Concurrently, a critical path traversal vulnerability in Netflix’s Genie (CVE-2024-4701) was identified, potentially allowing remote code execution by writing arbitrary files if attachments are stored locally. There is no evidence of these vulnerabilities being exploited in the wild.

Read More…