dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Researcher Uncovers Critical Flaws in Multiple Versions of Ivanti Endpoint Manager

Avatar
info@thehackernews.com (The Hacker News)
January 16, 2025
Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that allow a remote unauthenticated
Total
0
Shares
0
0
0
[[{“value”:”

Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure.

All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern absolute path traversal flaws that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below –

CVE-2024-10811
CVE-2024-13161
CVE-2024-13160, and
CVE-2024-13159

The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update.

Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all vulnerabilities in question.

Also patched by Ivanti are multiple high-severity bugs in Avalanche versions prior to 6.4.7 and Application Control Engine before version 10.14.4.0 that could permit an attacker to bypass authentication, leak sensitive information, and get around the application blocking functionality.

The company said it has no evidence that any of the flaws are being exploited in the wild, and that it has intensified its internal scanning and testing procedures to promptly flag and address security issues.

The development comes as SAP released fixes to resolve two critical vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9) that allows an authenticated attacker to exploit improper authentication checks in order to escalate privileges and access restricted information due to weak access controls.

“SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape,” the company said in its January 2025 bulletin.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

OneBlood reports data breach to state regulators after ransomware attack

January 15, 2025
Next Post

Python-Based Malware Powers RansomHub Ransomware to Exploit Network Flaws

January 16, 2025
Related Posts
4 min

Enterprise Identity Threat Report 2024: Unveiling Hidden Threats to Corporate Identities

In the modern, browser-centric workplace, the corporate identity acts as the frontline defense for organizations. Often referred to as “the new perimeter”, the identity stands between safe data management and potential breaches. However, a new report reveals how enterprises are often unaware of how their identities are being used across various platforms. This leaves them vulnerable to data
Avatar
info@thehackernews.com (The Hacker News)
October 31, 2024
Read More
2 min

Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks

A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan. Cybersecurity company Securonix, which is tracking the activity under the name FLUX#CONSOLE, said it likely starts with a phishing email link or attachment, although it said it couldn't obtain the original email used to launch the attack. "One of the
Avatar
info@thehackernews.com (The Hacker News)
December 17, 2024
Read More