Summary
Ivanti is releasing security updates that address 20 vulnerabilities, including 4 critical and 16 high severity vulnerabilities, in Ivanti EPM, Ivanti Avalanche, Ivanti Application Control, Ivanti Security Controls, and Ivanti Neurons for App Control.
Note: Proofs of Concept (PoC) for exploiting the vulnerabilities CVE-2024-13161, CVE-2024-13160, CVE-2024-13159, and CVE-2024-10811 are available online.
Risk
Vulnerability Community Impact Estimation: Critical (75.38)
Type
- Remote Code Execution
- Authentication Bypass
- Privilege Escalation
- Information Leakage
- Security Restrictions Bypass
- Denial of Service
Affected Products and/or Versions
- Ivanti Endpoint Manager 2024, November Security Update and earlier
- Ivanti Endpoint Manager 2022 SU6, November Security Update and earlier
- Ivanti Avalanche, version 6.4.6 and earlier
- Ivanti Application Control, versions 2024.3 and earlier, 2024.1 and earlier, 2023.3 and earlier
- Ivanti Security Controls, version 2024.4.1 and earlier
- Ivanti Neurons for App Control, automatically updated on December 12, 2024
Mitigation Actions
In In line with the vendor’s statements, it is recommended to update vulnerable products following the indications of the security bulletin reported in the References section.
It is highlighted that for all versions of Ivanti Security Controls the vendor will not release any patches considering the end of support date of the Ivanti Security Controls Application Control module (EOL). It is therefore recommended to follow the mitigations reported in the “Solution” section of the security bulletin.
References
https://www.ivanti.com/blog/january-security-update
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
