Ivanti has released software updates to address multiple vulnerabilities impacting Endpoint Manager (EPM), including 10 critical flaws that could lead to remote code execution. The most severe of these, CVE-2024-29847, has a CVSS score of 10.0 and involves deserialization of untrusted data, allowing remote, unauthenticated attackers to execute code.
Additionally, nine SQL injection vulnerabilities (CVE-2024-32840, CVE-2024-32842, CVE-2024-32843, CVE-2024-32845, CVE-2024-32846, CVE-2024-32848, CVE-2024-34779, CVE-2024-34783, and CVE-2024-34785), each with a CVSS score of 9.1, allow authenticated attackers with admin privileges to achieve remote code execution. These vulnerabilities affect EPM versions 2024 and 2022 SU5 and earlier. Fixes have been issued in versions 2024 SU1 and 2022 SU6.
Although there are no reports of these flaws being actively exploited as zero-days, users are urged to update to the latest versions to mitigate potential risks.
The September update also resolves seven high-severity vulnerabilities in Ivanti Workspace Control (IWC) and Ivanti Cloud Service Appliance (CSA). Ivanti has bolstered its internal vulnerability scanning and testing efforts to better identify and fix security issues. These enhancements have resulted in a higher rate of vulnerability discovery and disclosure.
This update follows incidents involving the exploitation of zero-day vulnerabilities in Ivanti appliances, some of which were leveraged by China-linked cyber espionage groups.
Meanwhile, Zyxel has patched a critical command injection vulnerability (CVE-2024-6342, CVSS score: 9.8) in its NAS326 and NAS542 network-attached storage (NAS) devices. The flaw allows unauthenticated attackers to execute OS commands via specially crafted HTTP POST requests. Zyxel has released hotfixes to address this vulnerability:
September 11, 2024
September 11, 2024
September 11, 2024
February 13, 2025
December 02, 2023
October 03, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
