Ivanti Endpoint Manager: Critical Security Flaws Uncovered

January 16, 2025

Security updates have been released by Ivanti to fix a number of vulnerabilities affecting Avalanche, Application Control Engine, and Endpoint Manager (EPM). The updates address four critical bugs that could potentially result in information disclosure. The critical security flaws, which have been rated as 9.8 out of 10.0 on the CVSS scale, are all found in EPM. These flaws relate to instances of absolute path traversal that could allow a remote unauthenticated attacker to leak sensitive information.

The flaws impact EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. These flaws have been resolved in the EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update. All four vulnerabilities were discovered and reported by Horizon3.ai security researcher Zach Hanley.

Ivanti has also patched multiple high-severity bugs in Avalanche versions prior to 6.4.7 and Application Control Engine before version 10.14.4.0. These bugs could enable an attacker to bypass authentication, leak sensitive information, and circumvent the application blocking functionality. Ivanti stated that it has no evidence of these flaws being exploited in the wild and that it has increased its internal scanning and testing procedures to quickly identify and address security issues.

In related news, SAP released fixes for two critical vulnerabilities in its NetWeaver ABAP Server and ABAP Platform (CVE-2025-0070 and CVE-2025-0066, CVSS scores: 9.9). These vulnerabilities could allow an authenticated attacker to exploit improper authentication checks to escalate privileges and access restricted information due to weak access controls. 'SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape,' the company said in its January 2025 bulletin.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.