Critical Vulnerabilities Found In Ivanti Endpoint Manager Versions

IT software vendor Ivanti recently released security updates to address multiple vulnerabilities in its Avalanche, Application Control Engine, and Endpoint Manager (EPM) products, which included four critical vulnerabilities in EPM.

The critical vulnerabilities, each scoring 9.8 on the CVSS scale, are path traversal issues in EPM that could allow remote, unauthenticated attackers to access sensitive information.

The affected flaws include:

  • CVE-2024-10811
  • CVE-2024-13159
  • CVE-2024-13160
  • CVE-2024-13161

The vulnerabilities that affected EPM versions before the 2024 November Security Update or 2022 SU6 November Security Update were addressed in the January 2025 updates.

Zach Hanley, a security researcher from Horizon3.ai, is credited for identifying and reporting these issues.

Additionally, Ivanti patched several high-severity issues in Avalanche (versions before 6.4.7) and Application Control Engine (versions before 10.14.4.0).

These flaws could allow attackers to bypass authentication mechanisms, access sensitive data, or disable application blocking.

Although Ivanti has found no evidence of these vulnerabilities being exploited in the wild, the company has ramped up its internal processes, such as scanning and testing, to identify and address potential risks more efficiently.

Separately, SAP has released critical patches for its NetWeaver ABAP Server and ABAP Platform to fix vulnerabilities CVE-2025-0070 and CVE-2025-0066, both of which scored 9.9 on the CVSS scale.

These flaws could allow authenticated attackers to bypass authentication checks, escalate privileges, and gain access to restricted information.

Separately, SAP has rolled out critical updates for its NetWeaver ABAP Server and ABAP Platform, addressing vulnerabilities CVE-2025-0070 and CVE-2025-0066, both of which scored 9.9 on the CVSS scale.

These flaws could let authenticated attackers bypass authentication checks, escalate privileges, and gain access to restricted information.

“SAP strongly recommends that the customer visits theย Support Portalย and applies patches on priority to protect their SAP landscape,” the companyย saidย in its January 2025 bulletin.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post