Ivanti
,

Update now! Critical CVSS 10 vulnerability in Ivanti EPM

Ivanti has released a fix for CVE-2024-29847, a deserialization of untrusted data flaw that allows remote code execution in its Endpoint Management solution.

Ivanti has released a fix for a slew of serious vulnerabilities in its Endpoint Management (EPM) software, including CVE-2024-29847, a deserialization of untrusted data (CWE-502) flaw that allows remote code execution. The vulnerability carries the maximum CVSS score of 10, which means that it’s both extremely dangerous and easy to exploit. Ivanti says that “successful exploitation could lead to unauthorized access to the EPM core server.”

Ivanti EPM is a Unified Endpoint Management (UEM) solution that allows users to manage software on their endpoints. Given the privileged access the software enjoys, a compromise could be catastrophic.

The sky-high CVSS score is a green light for cybercriminals, who are no doubt already hard at work reverse engineering the patch and working out how to exploit it.

Speed is of the essence and we urge you to patch quickly.

Ivanti says the vulnerability affects the 2024 and 2022 SU5 versions of EPM. A security “Hot Patch” is available for the later version, while 2022 SU5 customers should update to SU6.

Alongside the deserialization bug, the updates also fix no less than nine separate SQL injection flaws, all rated critical, all carrying a CVSS score of 9.1, and all of which could allow “a remote authenticated attacker with admin privileges to achieve remote code execution.”

The last 12 months has been a year to forget for Ivanti, as it’s dealt with a steady stream of serious vulnerabilities, starting with a pair of actively exploited zero-days in its Endpoint Manager Mobile in July and August last year. Then in January, a pair of serious vulnerabilities in its VPN software were actively exploited in such massive numbers that CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Policy Secure. This was quickly followed by the discovery of another critical vulnerability in the software in early February, and yet more vulnerabilities with eye-watering CVSS scores in its Standalone Sentry and Ivanti Neurons for ITSM products in March.

As serious as these bugs are, their discovery may be as much as a sign of progress as they are of weakness. In a blog post accompanying the latest advisory, the company sought to explain, not unreasonably, that the most recent vulnerabilities were discovered as a result of it stepping up its bug hunting efforts:

In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues. This has caused a spike in discovery and disclosure, and we agree with CISA’s statement that the responsible discovery and disclosure of CVEs is “a sign of healthy code analysis and testing community.

When judging the health of a codebase, the rate of discovery can be more instructive than the total number of finds, so we suggest Ivanti users keep a close eye on the company’s updates as its new process does its work


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.