Critical vulnerability in Bitdefender's GravityZone Update Server
Take action: If you are using on-premise Bitdefender's GravityZone Update Server, make sure it's automatically updated to latest version. This is a fairly simple patch, so don't delay.
Learn More
A critical security vulnerability is reported in Bitdefender's GravityZone on-premise Update Server.
The vulnerability, tracked as CVE-2024-6980 (CVSS score of 9.2) originates from a verbose error-handling issue within the proxy service of the GravityZone Update Server. This flaw enables attackers to exploit the system through server-side request forgery (SSRF) attacks. An attacker can gain access to sensitive internal resources, bypass existing security controls, manipulate server operations and gather confidential information.
The flaw specifically impacts GravityZone Console versions prior to 6.38.1-5 that are running on-premise.
Organizations using affected versions of the GravityZone Update Server should immediately update their systems to version 6.38.1-5 or later and ensure that automatic updates are enabled to receive critical security patches.
To ensure that the latest version is installed, users should:
- Check the GravityZone Control Center’s “About” or “System Information” section for the current version.
- Look for any available updates in the Configuration > Update section of the GravityZone console.
