Critical Flaws Found in Ivanti Endpoint Manager; Updates Released

Critical Flaws Found in Ivanti Endpoint Manager; Updates Released

Ivanti Issues Critical Security Updates for EPM, Avalanche, and Application Control Engine

Ivanti has recently announced vital security updates addressing several vulnerabilities within its products, specifically Avalanche, Application Control Engine, and Endpoint Manager (EPM). Among these updates are four critical security flaws rated 9.8 out of 10 on the CVSS scale, which could potentially lead to information disclosure. This article explores the vulnerabilities and the steps Ivanti is taking to enhance security.

Critical Vulnerabilities in Endpoint Manager

The primary concern lies within EPM, where four significant vulnerabilities have been identified:

  • CVE-2024-10811
  • CVE-2024-13161
  • CVE-2024-13160
  • CVE-2024-13159

These flaws relate to absolute path traversal issues that could allow remote, unauthenticated attackers to leak sensitive information. Affected versions include EPM versions from the November 2024 security update and earlier, as well as the 2022 SU6 November security update and prior. Fortunately, these vulnerabilities have been addressed in the EPM January 2025 Security Update.

Additional Patches for Avalanche and Application Control Engine

In addition to the EPM vulnerabilities, Ivanti has patched several high-severity issues in earlier versions of Avalanche (prior to 6.4.7) and Application Control Engine (prior to version 10.14.4.0). These vulnerabilities could allow attackers to bypass authentication, leak sensitive information, and circumvent application blocking functionalities.

Ivanti has emphasized that there is currently no evidence suggesting that these flaws are being exploited in the wild. The company is also enhancing its internal scanning and testing processes to quickly identify and rectify any future security concerns.

Related Security Updates from SAP

In a related development, SAP has released critical updates for its NetWeaver ABAP Server and ABAP Platform. These updates address two vulnerabilities (CVE-2025-0070 and CVE-2025-0066) rated 9.9 on the CVSS scale, which involve improper authentication checks that could lead to privilege escalation and unauthorized access to restricted information. SAP strongly urges customers to visit their Support Portal and apply the necessary patches to secure their systems.

Stay Informed and Secure

As cybersecurity threats continue to evolve, it’s crucial for organizations to stay updated on vulnerabilities in their software systems. If you found this article helpful, we invite you to share your thoughts or explore related articles on our site. Stay connected with us on Twitter and LinkedIn for more exclusive content and updates on cybersecurity.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *