Ivanti patches another two critical issues its Avalanche MDM product
Take action: If you are using Ivanti Avalanche MDM, time to organize patching once again. Two critical vulnerabilities mean that a lot of hacker gangs will be automatically scanning for the product and attacking it. Don't delay.
Learn More
Ivanti has issued an update for its Avalanche mobile device management (MDM) solution, addressing a total of 27 vulnerabilities, including two critical flaws.
The critical vulnerabilities are tracked as
- CVE-2024-24996 (CVSS score 9.8) is A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
- CVE-2024-29204 (CVSS score 9.8) is a Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands.
Avalanche is extensively used by enterprises to manage, deploy, and update software across large fleets of mobile devices, often numbering over 100,000, from a central location.
Besides the critical vulnerabilities, Ivanti also patched additional 25 vulnerabilities of medium and high severity. These could potentially be exploited to trigger denial-of-service attacks, execute commands with SYSTEM privileges, read sensitive information from memory, and carry out further remote code execution attacks.
These vulnerabilities have been addressed in the latest release of the Avalanche software, version 6.4.3. Ivanti has strongly recommended that all users of Avalanche upgrade to this latest version to mitigate the risks associated with these vulnerabilities. The company has provided an installer (login required) for the update and detailed support articles to assist customers with the upgrade process.
