Ivanti announced patches for several critical vulnerabilities in their Endpoint Manager (EPM) on Tuesday, addressing six critical SQL Injection bugs (CVE-2024-29822 through CVE-2024-29827) with a CVSS score of 9.6, allowing unauthenticated attackers on the network to execute arbitrary code. These flaws impact the Core server of EPM 2022 SU5 and earlier versions. The company released hot fixes for EPM 2022 SU5, with patches to be included in a future release. Additionally, Ivanti fixed four other high-severity SQL injection vulnerabilities in EPM and a high-severity unrestricted file upload bug in Ivanti Avalanche, urging users to update to the latest versions. Other fixes include high-severity vulnerabilities in Neurons for ITSM, Connect Secure, and Secure Access client for Windows. Ivanti noted no evidence of these vulnerabilities being exploited and reaffirmed their commitment to improving security and vulnerability management.

Read more: https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnerabilities-in-endpoint-manager/