Critical Remote Code Execution Vulnerability in Ivanti’s Endpoint Management Software

January 4, 2024

Ivanti has issued a warning and fix for a critical remote code execution (RCE) vulnerability found in its Endpoint Management software (EPM). The vulnerability, identified as CVE-2023-39366, could have allowed unauthenticated attackers to gain control over devices enrolled in the EPM or the core server itself.

EPM is utilized by Ivanti to manage client devices operating on a multitude of platforms, including Windows, macOS, Chrome OS, and various IoT operating systems. The security flaw in question affects all supported versions of Ivanti EPM and has been addressed in the 2022 Service Update 5.

The vulnerability could be exploited by attackers who have access to a target's internal network. This could be done via low-complexity attacks that do not necessitate privileges or user interaction. Ivanti states, "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server."

Currently, Ivanti has not found any evidence of customers being impacted by this vulnerability. The company has restricted public access to a detailed advisory on CVE-2023-39366, likely to give customers additional time to secure their devices before threat actors can devise exploits using the extra information.

Previously, in July, state-affiliated hackers exploited two zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to gain access to the networks of several Norwegian government organizations. The Cybersecurity and Infrastructure Security Agency (CISA) warned, "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability."

Another zero-day vulnerability (CVE-2023-38035) in Ivanti's Sentry software was exploited a month later. Ivanti also patched numerous critical security vulnerabilities in its Avalanche enterprise mobile device management solution in December and August. Ivanti's products are employed by over 40,000 companies globally to manage their IT assets and systems.

Related News

• Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution
• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released
• Ivanti Releases Urgent Patch for Zero-Day Vulnerability in Sentry Gateway
• Critical Vulnerability in Ivanti Sentry API Exploited in the Wild
• Ivanti Reveals Critical Authentication Bypass Vulnerability in MobileIron Core

Latest News

• CISA Updates Known Exploited Vulnerabilities Catalog with Chrome and Perl Library Flaws
• APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA
• Microsoft Deactivates MSIX Protocol Handler Misused in Malware Attacks
• Undocumented Hardware Feature Exploited in iPhone Triangulation Attack
• Barracuda Patches ESG Zero-Day Exploited by Chinese Hackers