Ivanti Fixes Two Critical Flaws in Avalanche MDM Solution

Ivanti has patched two critical vulnerabilities in its Avalanche mobile device management (MDM) solution that could lead to remote command execution. The two flaws, tracked as CVE-2024-24996 and CVE-2024-29204, both allow unauthenticated remote attackers to execute arbitrary commands. The former vulnerability has a CVSS score of 9.8 and exists in the WLInfoRailService component, while the latter, also with a CVSS score of 9.8, is found in the WLAvalancheService component. Ivanti recommends updating to version 6.4.3 of Avalanche to address these vulnerabilities.

No attacks in the wild have been discovered exploiting these vulnerabilities at this time. However, Ivanti advised that the issue was addressed in Avalanche 6.4.3. Downloads for the latest version of Avalanche can be found on the Ivanti website. Stay updated on all things security with our weekly SecureWeek newsletter!

Ivanti continues to investigate and address other vulnerabilities in its MDM solution, recommending that users update to the latest version to prevent exploitation by malicious actors. These include denial of service conditions, remote code execution, and reading sensitive information from memory.

Stay tuned to Security Affairs for more updates on Ivanti's security research and trends in the cybersecurity landscape.