US government flags major Ivanti security flaw, so patch now

News
By
published

CISA adds new flaw to its KEV catalog, signaling abuse in the wild

A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
(Image credit: Shutterstock / Thapana_Studio)

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a known Ivanti bug to its Known Exploited Vulnerabilities (KEV) catalog, signalling that it’s being actively abused in the wild.

The bug that was just added is an SQL Injection vulnerability, found this spring in the Core server of Ivanti Endpoint Manager (EPM) 2022 SU5 and prior. It grants an unauthenticated attacker within the same network the ability to run arbitrary code. It is tracked as CVE-2024-29824, and has a severity score of 9.6 (critical).

Federal agencies now have three weeks to apply the patch, or stop using the product altogether - and organizations in the private sector should take note, too.

Renewed commitment to security

Ivanti Endpoint Manager (EPM) is a software solution designed for IT asset management, offering tools to manage, secure, and troubleshoot endpoints like desktops, laptops, and mobile devices across an organization. It helps automate patching, software distribution, and inventory control, and supports Windows, macOS, Chrome OS, and different IoT operating systems.

The company says it patched the vulnerability in May 2024, together with five other RCE flaws. It, too, recently confirmed observing attacks in the wild: "At the time of this update, we are aware of a limited number of customers who have been exploited," the company concluded.

Ivanti is a major technology provider in the B2B sector, with over 40,000 customers globally, and clients spanning various industries, including government, healthcare, education, financial services, and more. These organizations use Ivanti's solutions for IT management, security, and asset management, and as such, they are a major target for cybercriminals.

In recent years, Ivanti has been at the center of much controversy, since many of its products were found to be severely flawed. In response, Ivanti CEO Jeff Abbott issued an open letter to customers and partners in April 2024, promising a renewed commitment to security.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.