Ivanti, an IT software company, recently released fixes for 27 vulnerabilities in its Avalanche enterprise mobile device management (MDM) product, including two critical-severity bugs allowing command execution. The critical flaws, identified as CVE-2024-24996 and CVE-2024-29204, involve heap overflow issues in the WLInfoRailService and WLAvalancheService components, enabling remote exploitation without authentication. Additional high-severity vulnerabilities, such as path traversal flaws and unrestricted file upload bugs, were addressed, allowing for command execution and denial-of-service attacks. Ivanti urges customers to update to version 6.4.3 of the product promptly, as all supported versions (6.3.1 and above) are affected, and older releases may also be vulnerable. Despite no known exploits in the wild, Ivanti advises vigilance due to past instances of attackers exploiting vulnerabilities in their products.
Read more: https://www.securityweek.com/ivanti-patches-27-vulnerabilities-in-avalanche-mdm-product/