Ivanti on Tuesday announced patches for 11 vulnerabilities in its products, including five critical-severity bugs in Cloud Services Application, Connect Secure, and Policy Secure.

The most severe of these issues is CVE-2024-11639 (CVSS score of 10/10), an authentication bypass affecting the Cloud Services Application (CSA) secure communication solution.

Affecting the administrator web console of the enterprise solution, the flaw allows remote, unauthenticated attackers to access CSA with administrative privileges.

The admin web console was also found vulnerable to a command injection bug (CVE-2024-11772, CVSS score of 9.1), and an SQL injection defect (CVE-2024-11773, CVSS score of 9.1), that could allow remote attackers with administrative privileges to execute arbitrary code or run arbitrary SQL statements.

Ivanti addressed all three flaws in CSA version 5.0.3 and has credited CrowdStrike for finding and reporting them. Users are advised to update their appliances as soon as possible.

On Tuesday, the company also announced fixes for two critical-severity security defects in Connect Secure (ICS) and Ivanti Policy Secure (IPS) that could lead to remote code execution (RCE).

The issues, tracked as CVE-2024-11633 and CVE-2024-11634 (CVSS score of 9.1), are described as argument injection and command injection bugs. Both can be exploited remotely by authenticated attackers, but only the latter impacts both ICS and IPS.

Ivanti addressed the flaws with the release of ICS version 22.7R2.4 and IPS version 22.7R1.2. The ICS update also resolves three high-severity flaws leading to restrictions bypass and unauthenticated denial-of-service (DoS).

High-severity security defects addressed in Sentry, Desktop and Server Management (DSM), and Patch SDK could allow attackers to modify sensitive application components or delete arbitrary files.

Tracked as CVE-2024-10256, the Patch SDK flaw also affects Endpoint Manager (EPM), Security Controls, Neurons Agent, Neurons for Patch Management, and Patch for Configuration Manager.

“We have no evidence of any of these vulnerabilities being exploited in the wild,” Ivanti says. 

Additional information can be found in the company’s December security update post.

Related: SAP Patches Critical Vulnerability in NetWeaver

Related: Adobe Patches Over 160 Vulnerabilities Across 16 Products

Related: Ivanti Patches 50 Vulnerabilities Across Several Products

Related: Many European CISOs Shift Focus to Mobile Security: Survey