Overview
Ivanti has released security updates to address a vulnerability affecting Ivanti Sentry Standalone. Designated CVE-2023-41724, the vulnerability has a CVSSv3 score of 9.6 and could allow an unauthenticated attacker to execute arbitrary commands or achieve remote code execution.
A critical vulnerability (CVE-2021-44529) affects the Ivanti EPM Cloud Services Appliance in versions below 4.6.0-512. This is a code injection vulnerability and allows ‘an unauthenticated user to execute arbitrary code with limited permissions (nobody)’.
Fortinet has reported vulnerabilities affecting FortiClientEMS 7.0 and 7.2 is where an improper neutralisation of special elements used in an SQL Command ('SQL Injection') vulnerability (CWE-89) may allow an unauthenticated attacker to execute unauthorised code or commands using specifically crafted requests.
Nortek’s Linear eMerge E3-Series 1.00-06 (and older versions) are affected by a critical vulnerability (CVE-2019-7256) that could allow command injections.
Microsoft’s Sharepoint Server is affected by a vulnerability (CVE-2023-24955) of high-severity that could allow a network-based attack where an authenticated attacker, as a Site Owner, could execute code remotely on the SharePoint Server. This vulnerability is currently being exploited by cyber-attackers.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Ivanti – CVE-2023-41724 and CVE-2021-44529
Fortinet PSIRT – CVE-2023-48788
Nortek Linear eMerge E3-Series – CVE-2019-7256
Microsoft – CVE-2023-24955
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.