[pixl97]

>We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

“We are aware” and “very limited” are likely (in our opinion, this is probably not fact, etc, etc) to be doing a significant amount of lifting.

For avoidance of doubt, the following versions of Ivanti EPMM are patched:

None

----

Ah, this company is a security joke as most software security companies are.

[ghostly_s]

It seems you forgot to note this comment is a quote from [1].

1. https://labs.watchtowr.com/someone-knows-bash-far-too-well-a...

[javcasas]

"We are aware" can mean "we are taking this very seriously and have seen very little so far" or it can mean "after covering our eyes and plugging our ears we are seeing and hearing very little of this problem".

[pipo234]

And "a very limited number" may mean "though we pretend to be a big company, we have a limited number of customers and while they all pay licence fees, most are not actually using the product in production."

[pixl97]

Ivanti isn't exactly a small company. It's products are used in fair amount of the F100's out there so any risk on their part can have an outsized influence.

[javcasas]

That's why you hire a CSO: Chief Scapegoat Officer.

You pay them a million per year, and fire them when a breach happens.

Way cheaper than improving security.

[moepstar]

If you're aware of the sheer number of exploits that can work around or without authentication against anything Ivanti, it has to be the latter.