Ivanti Releases Security Updates for Critical RCE Flaw in Endpoint Management Software

• A fix for a critical remote code execution flaw in the Ivanti Endpoint Management software was released.
• The vulnerability enabled unauthenticated attackers to access the EPM core server.
• The EPM platform assists administrators in managing client devices using Windows, macOS, and Chrome OS.

A critical remote code execution (RCE) vulnerability in the Ivanti Endpoint Management software (EPM) was addressed by the company via patches for EPM 2024 and Service Update 6 (SU6) for EPM 2022, according to the latest Ivanti report.

Identified as CVE-2024-29847, the flaw arose from the deserialization of untrusted data within the agent portal and posed significant security risks by allowing unauthenticated attackers to gain unauthorized access to the EPM core server and execute code.

The EPM platform assists administrators in managing client devices across various operating systems, including Windows, macOS, and Chrome OS, as well as IoT systems. Yet, there are currently no known instances of this vulnerability being exploited in the wild, and no public exploitation indicators are available.

In addition to patching this severe vulnerability, Ivanti has also addressed nearly two dozen other high and critical severity vulnerabilities across its EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA) products. These flaws had not been exploited before the patches were deployed.

Historically, Ivanti has faced similar security challenges, having patched an RCE vulnerability (CVE-2023-39336) in January 2023. The company has since enhanced its internal scanning, manual exploitation, and testing processes, alongside improving its responsible disclosure procedures.

Ivanti's measures follow ongoing exploitation attempts of multiple zero-day vulnerabilities in its systems over recent years. Notable incidents include exploits on Ivanti VPN appliances, utilizing the CVE-2024-21887 command injection, and the CVE-2023-46805 authentication bypass flaws. 

Additionally, a server-side request forgery vulnerability (CVE-2024-21893) saw mass exploitation earlier this year, impacting ICS, IPS, and ZTA gateways.

Imperva Threat Research reported detecting attacker activity leveraging new and now fixed PHP vulnerability CVE-2024-4577 to deliver malware starting on June 8, which the researchers have attributed to the ‘TellYouThePass’ ransomware campaign.