Ivanti has addressed 13 critical security vulnerabilities in the Avalanche enterprise mobile device management (MDM) solution with security updates. These vulnerabilities, reported by Tenable security researchers and Trend Micro’s Zero Day Initiative, could be exploited by unauthenticated attackers to gain remote code execution on unpatched systems.
The vulnerabilities impact all supported versions of Avalanche, with older versions/releases also at risk. Ivanti recommends downloading the Avalanche installer and updating to the latest Avalanche 6.4.2 to address these security flaws.
In addition to the critical vulnerabilities, Ivanti also patched eight medium- and high-severity bugs that could be exploited in denial of service, remote code execution, and server-side request forgery (SSRF) attacks.
In previous instances, Ivanti fixed critical Avalanche buffer overflows that could lead to crashes and arbitrary code execution. Threat actors have previously exploited MobileIron Core zero-day vulnerabilities to hack into the IT systems of Norwegian ministries and infiltrate the networks of Norwegian government organizations.
CISA and NCSC-NO have warned about the potential for widespread exploitation of MDM systems in government and private sector networks, emphasizing the elevated access to thousands of mobile devices that makes them attractive targets for threat actors.