Sources

https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US

Risks

Avalanche is Ivanti's enterprise mobile device management system. The company fixed twenty-five (25) vulnerabilities in their latest v6.4.3 update, two (2) of which are 9.8 critical vulnerabilities which could lead to remote code execution (RCE).

Ivanti is not aware of any exploitation of the addressed vulnerabilities. However, successful exploitation of critical CVE-2024-24996 could have a high impact on confidentiality, integrity and availability of data and systems. Exploitation of critical CVE-2024-29204 could have a high impact on availability.

Also check CCB's previous advisories on Ivanti Avalanche dated 30/08/2023 and 21/12/2023.

Even if there is no data available yet about a possible exploitation of CVE-2024-24996, the recent release of the proof-of-concept exploit code increases the likelihood of attacks targeting this vulnerability.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://cert.be/en/advisory/warning-unauthenticated-rce-ivanti-avalanche
https://cert.be/en/advisory/warning-13-critical-vulnerabilities-avalanche-enterprise-mobile-device-management-solution