CVE-2019-12377

Name of the Vulnerable Software and Affected Versions Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) version 10.0.1.168 Service Update 5

Description The issue concerns a vulnerable API endpoint, specifically the "upl/async upload.asp" web API endpoint, which allows arbitrary file upload. This may lead to arbitrary remote code execution.

Recommendations For version 10.0.1.168 Service Update 5, as a temporary workaround, consider disabling access to the "upl/async upload.asp" API endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.