Saturday, May 25, 2024
HomeTechnologyIvanti warns important EPM bug lets hackers hijack enrolled gadgets

Ivanti warns important EPM bug lets hackers hijack enrolled gadgets


Ivanti fastened a important distant code execution (RCE) vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers hijack enrolled gadgets or the core server.

Ivanti EPM helps handle consumer gadgets working a variety of platforms, from Home windows and macOS to Chrome OS and IoT working methods.

The safety flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM variations, and it has been resolved in model 2022 Service Replace 5.

Attackers with entry to a goal’s inside community can exploit the vulnerability in low-complexity assaults that do not require privileges or person interplay.

“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti says.

“This may then enable the attacker management over machines working the EPM agent. When the core server is configured to make use of SQL categorical, this would possibly result in RCE on the core server.”

The corporate says it has no proof that its prospects have been affected by attackers exploiting this vulnerability.

At the moment, Ivanti blocks public entry to an advisory containing full CVE-2023-39366 particulars, probably to supply prospects with extra time to safe their gadgets earlier than menace actors can create exploits utilizing the extra data.

Zero-days exploited within the wild

In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Supervisor Cell (EPMM), previously MobileIron Core, to infiltrate the networks of a number of Norwegian authorities organizations.

“Cell system administration (MDM) methods are enticing targets for menace actors as a result of they supply elevated entry to hundreds of cell gadgets, and APT actors have exploited a earlier MobileIron vulnerability,” CISA cautioned.

“Consequently, CISA and NCSC-NO are involved in regards to the potential for widespread exploitation in authorities and personal sector networks.”

A 3rd zero-day (CVE-2023-38035) in Ivanti’s Sentry software program (previously MobileIron Sentry) was exploited in assaults one month later.

The corporate additionally patched over a dozen important safety vulnerabilities in its Avalanche enterprise cell system administration (MDM) resolution in December and August.

Ivanti’s merchandise are utilized by greater than 40,000 corporations globally to handle their IT property and methods.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments