Ivanti fixes flaw in Endpoint Management that exposes registered devices to hijack

Ivanti has addressed a severe remote code execution (RCE) flaw in its Endpoint Management software (EPM), which could have allowed unauthorized attackers to take control of devices registered in the system or the central server.

Ivanti's products, widely used by over 40,000 companies for IT asset and system management, have become critical targets for cyber threats, emphasizing the importance of timely updates and security measures.

Ivanti EPM is used to manage various client devices across multiple platforms, including Windows, macOS, Chrome OS, and IoT systems. The vulnerability, tracked as CVE-2023-39366 (CVSS3 score 9.6), affected all supported versions of Ivanti EPM and has been fixed in the 2022 Service Update 5.

The flaw could be exploited by attackers within the target's internal network through simple attacks that do not need special privileges or user interaction. The vulnerability involves an unspecified SQL injection, enabling the execution of arbitrary SQL queries and retrieval of data without authentication. This could lead to control over machines with the EPM agent installed and potentially RCE on the core server if SQL express is used.

Ivanti reports no evidence of this vulnerability being exploited in the wild. Access to detailed information about CVE-2023-39366 has been restricted by Ivanti, likely to allow customers time to secure their systems.

State-backed hackers previously exploited zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) to attack Norwegian government networks. Another zero-day in Ivanti's Sentry software was exploited soon after. Ivanti also patched several critical flaws in its Avalanche enterprise mobile device management solution.