Ivanti has released a security update to address a critical flaw affecting its Endpoint Manager (EPM) solution that, if successfully exploited, could lead to Remote Code Execution (RCE) on vulnerable servers. .
This vulnerability is numbered CVE-2023-39336 and scored 9.6 out of 10 on the CVSS scoring system. This flaw affects EPM 2021 and EPM 2022 prior to SU5.
“If exploited, an attacker with access to the internal network could leverage unspecified SQL injection to execute arbitrary SQL queries and retrieve output without authentication,” Ivanti said in an advisory.
“This could allow an attacker to take control of a computer running the EPM agent. This could lead to RCE on the core server when the core server is configured to use SQL Express.”
A few weeks ago, the company addressed nearly two dozen security vulnerabilities in its Avalanche enterprise mobile device management (MDM) solution.
Of these 21 issues, 13 are rated critical (CVSS score: 9.8) and characterized as unauthenticated buffer overflows. They have been patched in Avalanche 6.4.2.
“An attacker sending a specially crafted packet to a mobile device server could cause memory corruption, leading to a denial of service (DoS) or code execution,” Ivanti said.
While there is no evidence that the above vulnerabilities have been exploited in the wild, state-sponsored attackers have exploited zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Manager Mobile (EPMM) in the past to penetrate multiple Network of Norwegian government organizations.
A month later, another critical vulnerability (CVE-2023-38035, CVSS score: 9.8) in the Ivanti Sentry product was actively exploited as a zero-day vulnerability.
