Ivanti Releases Security Updates for Multiple Products

Ivanti has released the following three security advisories addressing vulnerabilities in multiple products.

• Security Advisory Ivanti Avalanche (Multiple CVEs) - Q4 2024 Release
  Ivanti Avalanche is a mobile device management solution and is used to remotely manage, deploy software, and schedule updates for enterprise mobile devices. Successful exploitation of five of the vulnerabilities could lead to denial-of-service (DoS) and one vulnerability could lead to information disclosure. All are rated with a CVSSv3 score of 7.5. Ivanti reports there is no known exploitation of these vulnerabilities.
   
• Security Advisory EPM November 2024 for EPM 2024 and EPM 2022 SU6
  Ivanti EPM is an all-in-one solution for managing device endpoints within a network. This advisory contains 18 CVEs, including one critical SQL injection vulnerability with a CVSSv3 score of 9.8 that could allow a remote unauthenticated attacker to achieve remote code execution (RCE). The other 17 vulnerabilities are either SQL injection or path traversal vulnerabilities with CVSSv3 scores ranging from 7.2 to 8.8 that could allow an attacker to execute code. Ivanti reports there is no known exploitation of these vulnerabilities.
   
• Security Advisory Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC) (Multiple CVEs)
  This advisory includes 25 vulnerabilities affecting Ivanti Connect Secure and Policy Secure, which are SSL VPN solutions used for remote and mobile access to corporate resources. Eight critical command or argument injection vulnerabilities (all with CVSSv3 scores of 9.1) could lead to remote code execution (RCE). Other high and medium severity security impact vulnerabilities could be exploited by attackers, which could allow DoS, RCE, modification of configuration files, arbitrary folder creation, and privilege escalation. Ivanti reports there is no known exploitation of these vulnerabilities.