Ivanti has fixed two critical vulnerabilities in its Avalanche MDM.

Ivanti has addressed two critical vulnerabilities in its mobile device management (MDM) solution, Avalanche, which could lead to remote command execution. Ivanti has fixed several issues in its MDM solution, Avalanche, including two critical vulnerabilities tracked as CVE-2024-24996 and CVE-2024-29204, which could allow for remote command execution.

The MDM software allows administrators to configure, deploy, update, and maintain up to 100,000 mobile IT assets within a single system. Below is a description of two vulnerabilities:

CVE-2024-24996 (CVSS score 9.8)

A heap overflow vulnerability in the WLInfoRailService component of Ivanti Avalanche prior to version 6.4.3 allows an unauthorized remote attacker to execute arbitrary commands.

CVE-2024-29204 (CVSS score 9.8)

A heap overflow vulnerability in the WLAvalancheService component of Ivanti Avalanche prior to version 6.4.3 allows a remote unauthorized attacker to execute arbitrary commands.

A remote attacker can exploit both issues to execute code without user interaction. Additionally, Ivanti has also addressed dozens of medium and high severity vulnerabilities that could be used to trigger denial of service conditions, execute arbitrary commands, conduct remote code execution attacks, and read sensitive information from memory. The company is not aware of any attacks in the wild exploiting any of these vulnerabilities at the time of disclosure.

To address the security vulnerabilities listed below, it is strongly recommended to download the Avalanche installer and update to the latest version, Avalanche 6.4.3. The installation will include fixes for each CVE mentioned in the table below. These vulnerabilities affect any older versions of Avalanche. You can download the latest version, Avalanche 6.4.3, here." - states the recommendation.