CVE-2024-36130: 
Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation

An insufficient authorization vulnerability was discovered in the web component of Ivanti Endpoint Manager for Mobile (EPMM) versions prior to 12.1.0.1. The vulnerability, identified as CVE-2024-36130, was disclosed in July 2024 and received a critical CVSS v3.1 base score of 9.8. This security flaw affects the web component of EPMM appliances and could potentially expose systems to unauthorized command execution (CERT-EU, NVD).

The vulnerability is characterized by insufficient authorization checks in the web component of EPMM. It has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. The vulnerability has been classified under CWE-287 (Improper Authentication) (NVD).

If exploited, this vulnerability allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the EPMM appliance. The critical CVSS score of 9.8 reflects the severe potential impact, with possible compromises to system confidentiality, integrity, and availability (CERT-EU).

Ivanti has released version 12.1.0.1 to address this vulnerability. Organizations running affected versions of EPMM are strongly advised to update to the latest version as soon as possible (CERT-EU).