Critical Security Alert: Multiple 9.8-Rated Flaws Expose Ivanti Endpoint Manager to Remote Attacks

Critical Security Alert: Multiple 9.8-Rated Flaws Expose Ivanti Endpoint Manager to Remote Attacks

Critical Security Updates Released for Ivanti Enterprise Solutions

Ivanti has released crucial security patches addressing multiple vulnerabilities across its enterprise products, including four critical flaws in Endpoint Manager (EPM) that pose significant information disclosure risks.

The critical vulnerabilities (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159), each rated 9.8 on the CVSS scale, affect EPM through absolute path traversal weaknesses. These flaws could enable unauthorized remote attackers to access sensitive information.

Affected versions include EPM 2024 November security update and prior, along with 2022 SU6 November security update and earlier versions. The issues have been resolved in the January-2025 Security Updates for both EPM 2024 and EPM 2022 SU6.

Additional high-severity vulnerabilities were patched in:
– Avalanche (versions prior to 6.4.7)
– Application Control Engine (versions before 10.14.4.0)

These vulnerabilities could potentially allow authentication bypass, information leakage, and circumvention of application blocking features.

Ivanti confirms no active exploitation of these vulnerabilities has been detected. The company has strengthened its internal security testing protocols to better identify and address such issues.

Separately, SAP has addressed two critical vulnerabilities (CVE-2025-0070 and CVE-2025-0066) in its NetWeaver ABAP Server and ABAP Platform, both rated 9.9 on CVSS, which could allow authenticated attackers to escalate privileges and access restricted information.

Share This Article