Ivanti Patches Critical Remote Code Execution Flaws in Endpoint Manager
23-May-24
Ivanti has released patches for multiple critical vulnerabilities in Endpoint Manager (EPM) and other products, addressing six unauthenticated SQL injection flaws (CVE-2024-29822 to CVE-2024-29827) and four authenticated ones (CVE-2024-29828 to CVE-2024-29830, CVE-2024-29846) in EPM, as well as a remote code execution flaw in Avalanche (CVE-2024-29848). Additional fixes include an SQL injection and file upload flaw in Neurons for ITSM, a CRLF injection in Connect Secure, and privilege escalation issues in Secure Access client. Concurrently, a critical path traversal vulnerability in Netflix’s Genie (CVE-2024-4701) was identified, potentially allowing remote code execution by writing arbitrary files if attachments are stored locally. There is no evidence of these vulnerabilities being exploited in the wild.
