Ivanti, an IT software company, rolled out patches for eight vulnerabilities in its Neurons for ITSM, Avalanche, and Virtual Traffic Manager (vTM) products

Ivanti, an IT software company, rolled out patches for eight vulnerabilities in its Neurons for ITSM, Avalanche, and Virtual Traffic Manager (vTM) products, including two critical ones.

For Neurons for ITSM, Ivanti fixed two security issues, one of which is a critical information disclosure flaw (CVE-2024-7569, CVSS 9.6). This bug could let an unauthenticated attacker access sensitive debug data, potentially exposing the OIDC client secret. They also patched a high-severity flaw (CVE-2024-7570, CVSS 8.3) that involved improper certificate validation, which could allow an attacker in a man-in-the-middle (MiTM) attack to gain unauthorized access by creating a fake token.

The patches are available for Neurons for ITSM versions 2023.2, 2023.3, and 2023.4. All Neurons for ITSM Cloud environments were updated as of August 4.

Ivanti also addressed a critical bug in Virtual Traffic Manager (vTM), tracked as CVE-2024-7593 (CVSS 9.8). This flaw could be exploited remotely to bypass authentication and create an admin user. Fixes for this are included in vTM versions 22.2R1 and 22.7R2, with additional patches coming next week in versions 22.3R3, 22.5R2, and 22.6R2.

Five high-severity vulnerabilities were also patched in Avalanche. Four of these could allow unauthenticated remote attackers to launch denial-of-service (DoS) attacks or access files on the server. The fifth vulnerability involves improper input validation, which could lead to remote code execution (RCE), though the attacker would need admin-level access.

These issues were resolved with the release of Avalanche version 6.4.4, and Ivanti is urging customers to upgrade to the latest version.

While Ivanti hasn't seen any active exploitation of these vulnerabilities, a proof-of-concept (PoC) exploit is available for the critical vTM flaw. More details can be found in Ivanti's August security advisory.