Ivanti has produced security updates to address a critical flaw impacting its Endpoint Manager (EPM) alternative that, if properly exploited, could consequence in distant code execution (RCE) on susceptible servers.
Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring program. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5.
“If exploited, an attacker with accessibility to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with no the will need for authentication,” Ivanti reported in an advisory.
“This can then permit the attacker regulate around machines operating the EPM agent. When the core server is configured to use SQL categorical, this could possibly guide to RCE on the core server.”
The disclosure arrived months after the business fixed approximately two dozen security flaws in its Avalanche company cellular machine management (MDM) solution.
Of the 21 issues, 13 are rated critical (CVSS scores: 9.8) and have been characterized as unauthenticated buffer overflows. They have been patched in Avalanche 6.4.2.
“An attacker sending specially crafted information packets to the Cellular Gadget Server can lead to memory corruption which could end result in a denial-of-assistance (DoS) or code execution,” Ivanti mentioned.
Although there is no proof that these aforementioned weaknesses have been exploited in the wild, state-backed actors have, in the previous, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Supervisor Cellular (EPMM) to infiltrate the networks of several Norwegian federal government organizations.
A month afterwards, a further critical vulnerability in the Ivanti Sentry merchandise (CVE-2023-38035, CVSS rating: 9.8) arrived underneath active exploitation as a zero-day.
Discovered this article intriguing? Comply with us on Twitter and LinkedIn to read additional unique articles we put up.
Some parts of this article are sourced from:
thehackernews.com
Russian Hackers Had Covert Access to Ukraine’s Telecom Giant for Months