Ivanti mounted a crucial distant code execution (RCE) vulnerability in its Endpoint Administration software program (EPM) that may let unauthenticated attackers hijack enrolled units or the core server.

Ivanti EPM helps handle shopper units working a variety of platforms, from Home windows and macOS to Chrome OS and IoT working techniques.

The safety flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM variations, and it has been resolved in model 2022 Service Replace 5.

Attackers with entry to a goal’s inner community can exploit the vulnerability in low-complexity assaults that do not require privileges or consumer interplay.

“If exploited, an attacker with entry to the inner community can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output with out the necessity for authentication,” Ivanti says.

“This will then enable the attacker management over machines working the EPM agent. When the core server is configured to make use of SQL specific, this would possibly result in RCE on the core server.”

The corporate says it has no proof that its clients have been affected by attackers exploiting this vulnerability.

Presently, Ivanti blocks public entry to an advisory containing full CVE-2023-39366 particulars, possible to supply clients with extra time to safe their units earlier than menace actors can create exploits utilizing the extra info.

Zero-days exploited within the wild

In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Supervisor Cell (EPMM), previously MobileIron Core, to infiltrate the networks of a number of Norwegian authorities organizations.

“Cell system administration (MDM) techniques are engaging targets for menace actors as a result of they supply elevated entry to 1000’s of cellular units, and APT actors have exploited a earlier MobileIron vulnerability,” CISA cautioned.

“Consequently, CISA and NCSC-NO are involved in regards to the potential for widespread exploitation in authorities and personal sector networks.”

A 3rd zero-day (CVE-2023-38035) in Ivanti’s Sentry software program (previously MobileIron Sentry) was exploited in assaults one month later.

The corporate additionally patched over a dozen crucial safety vulnerabilities in its Avalanche enterprise cellular system administration (MDM) answer in December and August.

Ivanti’s merchandise are utilized by greater than 40,000 corporations globally to handle their IT belongings and techniques.