Ivanti has launched safety updates to handle a crucial flaw impacting its Endpoint Supervisor (EPM) answer that, if efficiently exploited, may end in distant code execution (RCE) on vulnerable servers.
Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 previous to SU5.
“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti mentioned in an advisory.
“This could then permit the attacker management over machines operating the EPM agent. When the core server is configured to make use of SQL specific, this may result in RCE on the core server.”
The disclosure arrived weeks after the corporate resolved practically two dozen safety flaws in its Avalanche enterprise cell gadget administration (MDM) answer.
Of the 21 points, 13 are rated crucial (CVSS scores: 9.8) and have been characterised as unauthenticated buffer overflows. They’ve been patched in Avalanche 6.4.2.
“An attacker sending specifically crafted knowledge packets to the Cell Gadget Server may cause reminiscence corruption which may end in a denial-of-service (DoS) or code execution,” Ivanti mentioned.
Whereas there isn’t a proof that these aforementioned weaknesses have been exploited within the wild, state-backed actors have, previously, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Supervisor Cell (EPMM) to infiltrate the networks of a number of Norwegian authorities organizations.
In August 2023, one other crucial vulnerability within the Ivanti Sentry product (CVE-2023-38035, CVSS rating: 9.8) got here beneath lively exploitation as a zero-day.
