Ivanti Releases Security Updates to Fix Critical Vulnerabilities in Avalanche Mobile Device Management Solution
Ivanti, a company specializing in IT security solutions, has recently announced the release of security updates to address 27 vulnerabilities in its Avalanche mobile device management (MDM) solution. Among these vulnerabilities, two critical heap overflows have been identified, allowing remote attackers to execute arbitrary commands.
Avalanche is a popular tool used by enterprise administrators for managing and deploying software across large fleets of mobile devices from a centralized location. The critical security flaws (known as CVE-2024-24996 and CVE-2024-29204) were found in Avalanche’s WLInfoRailService and WLAvalancheService components and pose a significant risk to vulnerable systems.
In addition to the critical vulnerabilities, Ivanti has also patched 25 medium and high-severity bugs that could potentially lead to denial-of-service attacks, unauthorized command execution, and remote code execution. The company has reassured customers that it is not aware of any exploitation of these vulnerabilities prior to public disclosure.
To address these security concerns, Ivanti strongly recommends all users to download the latest Avalanche 6.4.3 installer and apply the necessary updates. Customers can find the update on the Ivanti website along with detailed instructions for the upgrade process.
This announcement comes after Ivanti previously patched 13 critical-severity remote code execution vulnerabilities in the Avalanche MDM solution last December. The company has been proactive in addressing security issues in its products, particularly after state-affiliated hackers exploited zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) to breach several Norwegian government organizations.
Given the potential risks associated with MDM systems, the Cybersecurity and Infrastructure Security Agency (CISA) has warned about the attractiveness of such systems to threat actors. Organizations are advised to prioritize the security of their mobile device management solutions to prevent potential exploits and safeguard sensitive data.
