Application security, Endpoint/Device Security, Patch/Configuration Management

Over two dozen Ivanti Avalanche vulnerabilities addressed

Update software application and hardware upgrade technology concept, Firmware or Operating System update, Man using computer with comfirm button and percent progress bar screen. Installing app patch.

Security updates have been issued by Ivanti to address 27 issues impacting its Avalanche mobile device management solution, according to BleepingComputer.

Most severe of the remediated vulnerabilities are two critical heap overflow bugs within the solution's WLInfoRailService and WLAvalancheService components, tracked as CVE-2024-24996 and CVE-2024-29204, which could be exploited to facilitate arbitrary command execution without any user interaction.

On the other hand, the rest of the high- and medium-severity flaws could be leveraged to enable arbitrary command execution, sensitive data access, remote code execution attacks, and denial-of-service intrusions, said Ivanti, which urged immediate upgrades to the latest Avalanche 6.4.3 release even though there has been no evidence suggesting any active exploitation of the fixed security issues.

Such an advisory comes four months after more than a dozen critical RCE flaws impacting Avalanche MDM were fixed by Ivanti. MDM system vulnerabilities were noted by the Cybersecurity and Infrastructure Security Agency to be commonly exploited in cyberattacks due to the extensive device access they provide.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.