Ivanti has revealed details of a critical remote code execution flaw that impacted Standalone Sentry, urging customers to apply fixes immediately to stay protected from potential cyber threats.
Tracked as CVE-2023-41724the vulnerability results in a CVSS score of 9.6.
“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” the company said.
The flaw affects all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1 and 9.19.1) that can be downloaded via the standard download portal.
He credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of the NATO Cyber Security Center for “their collaboration on this issue.”
Ivanti stressed that it is not aware of any customers affected by CVE-2023-41724 and added that “threat actors without a valid TLS client certificate registered via EPMM cannot directly exploit this issue on the Internet.”
According to Mandiant, recently revealed security flaws in Ivanti software have been exploited by at least three different suspected cyber espionage clusters linked to China and identified as UNC5221, UNC5325, and UNC3886.
The development comes as SonarSource revealed a cross-site scripting (mXSS) mutation flaw impacting an open source email client called Mailspring aka Nylas Mail (CVE-2023-47479) which could be exploited to bypass sandbox protections and Content Security Policy (CSP). and achieve code execution when a user replies to or forwards a malicious email.
“mXSS takes advantage of this by delivering a payload that initially appears harmless during parsing (during the sanitization process) but turns it malicious during reparsing (in the final content display phase),” security researcher Yaniv Nizry said.