Ivanti Security Updates Patch Critical Vulnerabilities in Endpoint Manager
Ivanti has announced the release of critical security updates to mitigate several vulnerabilities affecting its Avalanche, Application Control Engine, and Endpoint Manager (EPM) products. Among these are four significant flaws, each rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, which could potentially lead to information disclosure. These vulnerabilities primarily stem from absolute path traversal issues that enable remote, unauthenticated attackers to access sensitive information.
The four flaws identified in the EPM are CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159. Affected versions include the EPM 2024 November security update and earlier, as well as the 2022 SU6 November security update and prior. These vulnerabilities have since been addressed in the latest EPM January 2025 Security Updates for both 2024 and 2022.
Zach Hanley, a security researcher from Horizon3.ai, has been credited with discovering these vulnerabilities. His research indicates that the flaws could lead attackers to exploit credential coercion, potentially compromising server integrity. This includes the capability for attackers to leverage the Ivanti EPM machine account credentials in relay attacks.
Alongside the EPM vulnerabilities, Ivanti has also patched several high-severity bugs in Avalanche versions prior to 6.4.7 and Application Control Engine versions before 10.14.4.0. These issues raise the risk of authentication bypass, information leakage, and evasion of application security measures. While Ivanti has not seen evidence of these vulnerabilities being actively exploited, the company has ramped up its internal scanning and testing processes to swiftly identify and resolve security concerns.
Similarly, SAP has addressed critical vulnerabilities in its NetWeaver ABAP Server, namely CVE-2025-0070 and CVE-2025-0066, both rated 9.9 on the CVSS scale. These vulnerabilities allow authenticated attackers to circumvent authentication checks, raising concerns over privilege escalation and unauthorized access to sensitive information.
Given the gravity of these vulnerabilities, both Ivanti and SAP have issued strong recommendations for their customers to apply the necessary patches promptly. SAP, in particular, urges customers to prioritize updates via their Support Portal to safeguard their systems.
Further compounding the urgency, Horizon3.ai has recently released technical details, describing the vulnerabilities in EPM as “credential coercion” bugs. These flaws involve a Dynamic Link Library (DLL) named “WSVulnerabilityCore.dll,” which exposes various APIs linked to endpoint management. The presence of a public proof-of-concept exploit has heightened the necessity for immediate patch application.
In light of this incident, business owners should consider the potential MITRE ATT&CK tactics that may have been employed in any related attacks. Techniques such as initial access and privilege escalation could be relevant, with adversaries possibly leveraging these vulnerabilities to gain unauthorized access and escalate their privileges.
As the cybersecurity landscape continues to evolve, vigilance and prompt action are imperative for organizations to mitigate risks and protect their assets effectively. Users of Ivanti and SAP products are strongly advised to incorporate these updates into their security strategy to enhance their defenses against potential exploitation.
