Ivanti has released a security update to address a critical flaw affecting its Endpoint Manager (EPM) solution, which if successfully exploited, could lead to remote code execution (RCE) on vulnerable servers.
Tracked as CVE-2023-39336, the vulnerability is rated 9.6 out of 10 on the CVSS scoring system. This flaw affects EPM 2021 and EPM 2022 before SU5.
“If exploited, an attacker with access to the internal network could leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without requiring authentication,” Ivanti said in an advisory.
“This could then allow the attacker to gain control over machines running the EPM agent. When the Core Server is configured to use SQL Express, this could lead to an RCE on the Core Server.”
The disclosure comes just weeks after the company patched nearly two dozen security flaws in its Avalanche enterprise mobile device management (MDM) solution.
Of the 21 issues, 13 are rated critical (CVSS score: 9.8) and are marked as unauthenticated buffer overflows. They have been patched in Avalanche 6.4.2.
“An attacker sending specially crafted data packets to a mobile device server could cause memory corruption resulting in a denial of service (DoS) or code execution,” Ivanti said.
While there is no evidence that these aforementioned vulnerabilities have been exploited in the wild, state-backed actors have, in the past, exploited zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti Endpoint Manager Mobile ( EPMM) to infiltrate the networks of multiple Norwegian government organizations.
A month later, another critical vulnerability in the Ivanti Sentry product (CVE-2023-38035, CVSS score: 9.8) came under active exploitation as a zero-day.