A critical deserialization vulnerability (CVE-202429847) with a CVSS score of 10.0 has been identified in Ivanti software [4] [6], specifically in Ivanti Endpoint Manager (EPM).
Description
This vulnerability allows remote attackers to execute arbitrary code by exploiting the deserialization of untrusted data without authentication [1], posing a high risk of compromise to managed endpoints [4]. Ivanti has released fixes for this vulnerability to prevent remote code execution and compromise of the EPM core server. In addition, multiple SQL injection vulnerabilities (CVE-202432840 [6], CVE-202432842 [1] [2] [3] [4] [6], CVE-202432843 [1] [2] [3] [4] [6], CVE-202432845 [1] [2] [3] [4] [6], CVE-202432846 [1] [2] [3] [4] [6], CVE-202432848 [1] [2] [3] [4] [6], CVE-202434779 [6], CVE-202434783 [6], CVE-202434785) with CVSS scores of 9.1 have been discovered [6], enabling remote code execution by authenticated attackers with admin privileges [6]. Ivanti has also patched nearly two dozen other critical and high-severity bugs in EPM [2], Cloud Service Appliance [2], and Workspace Control [2]. The deserialization vulnerability has a base score of 6.8 in CVSS2 and a severity rating of Medium [5], while in CVSS:3.0 [5], it has a base score of 8.3 and a severity rating of High [5]. Ivanti has enhanced its internal scanning [2] [6], testing [2] [6], and manual exploitation capabilities to speed up vulnerability remediation efforts following recent zero-day exploits affecting its products [2].
Conclusion
Users are strongly advised to update their software to mitigate risks.
References
[1] https://nordicdefender.com/blog/cve-2024-29847-critical-vulnerabilities-in-ivanti-endpoint-manager
[2] https://www.scmagazine.com/brief/maximum-severity-ivanti-epm-flaw-patched
[3] https://digital.nhs.uk/cyber-alerts/2024/cc-4547
[4] https://securityonline.info/ivanti-issues-patch-for-critical-vulnerabilities-in-endpoint-manager-including-cve-2024-29847-cvss-10-0/
[5] https://www.tenable.com/cve/CVE-2024-29847
[6] https://thehackernews.com/2024/09/ivanti-releases-urgent-security-updates.html