Ivanti has launched safety updates to deal with a vital flaw impacting its Endpoint Supervisor (EPM) resolution that, if efficiently exploited, might end in distant code execution (RCE) on vulnerable servers.
Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 previous to SU5.
“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti mentioned in an advisory.
“This could then permit the attacker management over machines operating the EPM agent. When the core server is configured to make use of SQL specific, this would possibly result in RCE on the core server.”
The disclosure arrived weeks after the corporate resolved almost two dozen safety flaws in its Avalanche enterprise cellular system administration (MDM) resolution.
Of the 21 points, 13 are rated vital (CVSS scores: 9.8) and have been characterised as unauthenticated buffer overflows. They’ve been patched in Avalanche 6.4.2.
“An attacker sending specifically crafted information packets to the Cell Gadget Server could cause reminiscence corruption which might end in a denial-of-service (DoS) or code execution,” Ivanti mentioned.
Whereas there is no such thing as a proof that these aforementioned weaknesses have been exploited within the wild, state-backed actors have, previously, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Supervisor Cell (EPMM) to infiltrate the networks of a number of Norwegian authorities organizations.
In August 2023, one other vital vulnerability within the Ivanti Sentry product (CVE-2023-38035, CVSS rating: 9.8) got here beneath energetic exploitation as a zero-day.