Ivanti releases security updates for Endpoint Manager, patching one critical, multiple high severity flaws

Ivanti has released critical security updates for their Endpoint Manager (EPM) platform, addressing multiple high and critical severity vulnerabilities.

• CVE-2024-50330 (CVSS score 9.8) - A critical SQL injection vulnerability that allows remote unauthenticated attackers to achieve remote code execution without user interaction.
• CVE-2024-50329 (CVSS score 8.8) - Path traversal vulnerability allowing remote unauthenticated RCE with user interaction
• CVE-2024-34787 (CVSS score 7.8) - Path traversal vulnerability enabling local unauthenticated code execution
• CVE-2024-50322 (CVSS score 7.8) - Path traversal vulnerability allowing local unauthenticated code execution
• CVE-2024-50323 (CVSS score 7.8) - SQL injection vulnerability enabling local unauthenticated code execution
• Multiple SQL injection vulnerabilities (CVSS score 7.2) affecting authenticated users with admin privileges: CVE-2024-32839, CVE-2024-32841, CVE-2024-32844, CVE-2024-32847, CVE-2024-34780, CVE-2024-37376, CVE-2024-34781, CVE-2024-34782, CVE-2024-34784, CVE-2024-50326, CVE-2024-50327, CVE-2024-50328

Affected Versions:

• EPM 2024: September security update and prior versions
• EPM 2022 SU6: September security update and prior versions

Ivanti has released patches for both product versions:

• EPM 2024 November Security Update
• EPM 2022 SU6 November Security Update

The company states they are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

The patches require a system reboot after installation, and detailed installation instructions are provided in the patch files. Ivanti also recommends consulting their KB article "Configure a Read Only Database User for Data Analytics Reporting" for specific CVEs (CVE-2024-32841, CVE-2024-32844, CVE-2024-34780).