Bitdefender has released a patch for a critical vulnerability in its GravityZone Update Server. The vulnerability that could potentially allow attackers to perform server-side request forgery attacks, leading to unauthorized access and data breaches.
The vulnerability tracked as CVE-2024-6980 with a CVSS score of 9.2, stems from verbose error handling in the proxy service of the GravityZone Update Server that is responsible for distributing critical security updates, including antivirus definitions, patches, and software upgrades, to all protected devices within the network . Attackers can exploit this weakness to manipulate the server into making unintended requests to other systems, potentially exposing sensitive data or compromising network security.
The vulnerability affects Bitdefender GravityZone Console versions before 6.38.1-5 running on-premises installations only. Cloud-based GravityZone instances are not impacted.
Bitdefender has released an automatic update to GravityZone Console version 6.38.1-5 that addresses the vulnerability. All GravityZone customers are strongly advised to apply the update immediately to ensure the security of their enterprise environments.
