Ivanti has launched safety updates to deal with a crucial flaw impacting its Endpoint Supervisor (EPM) resolution that, if efficiently exploited, may lead to distant code execution (RCE) on prone servers.
Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 previous to SU5.
“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti mentioned in an advisory.
“This may then permit the attacker management over machines working the EPM agent. When the core server is configured to make use of SQL categorical, this would possibly result in RCE on the core server.”
The disclosure arrived weeks after the corporate resolved almost two dozen safety flaws in its Avalanche enterprise cell gadget administration (MDM) resolution.
Of the 21 points, 13 are rated crucial (CVSS scores: 9.8) and have been characterised as unauthenticated buffer overflows. They’ve been patched in Avalanche 6.4.2.
“An attacker sending specifically crafted information packets to the Cell Gadget Server could cause reminiscence corruption which may lead to a denial-of-service (DoS) or code execution,” Ivanti mentioned.
Whereas there isn’t a proof that these aforementioned weaknesses have been exploited within the wild, state-backed actors have, previously, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Supervisor Cell (EPMM) to infiltrate the networks of a number of Norwegian authorities organizations.
In August 2023, one other crucial vulnerability within the Ivanti Sentry product (CVE-2023-38035, CVSS rating: 9.8) got here below energetic exploitation as a zero-day.
