Summary
Ivanti releases security updates that address 20 vulnerabilities, including 4 with a severity of “critical” and 16 with a severity of “high,” in Ivanti EPM, Ivanti Avalanche, Ivanti Application Control, Ivanti Security Controls, and Ivanti Neurons for App Control.
Risk
Vulnerability community impact estimate: High (66.41)
Type
- Remote Code Execution
- Authentication Bypass
- Privilege Escalation
- Information Leakage
- Security Restrictions Bypass
- Denial of Service
Affected products and/or versions
- Ivanti Endpoint Manager 2024, November security update and earlier
- Ivanti Endpoint Manager 2022 SU6, November security update and earlier
- Ivanti Avalanche, version 6.4.6 and earlier
- Ivanti Application Control, versions 2024.3 and earlier, 2024.1 and earlier, 2023.3 and earlier
- Ivanti Security Controls, version 2024.4.1 and earlier
Ivanti Neurons for App Control, automatically updated on December 12, 2024
Mitigation actions
In line with the vendor’s statements, it is recommended to update vulnerable products following the indications of the security bulletin reported in the References section.
Please note that for all versions of Ivanti Security Controls the vendor will not release any patches considering the end of support date of the Ivanti Security Controls Application Control module (EOL). It is therefore recommended to follow the mitigations reported in the “Solution” section of the security bulletin.
References
https://www.ivanti.com/blog/january-security-update
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
