SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
An attacker sends a crafted network request containing a malicious SQL payload to a vulnerable Ivanti Endpoint Manager endpoint without requiring any credentials. The vulnerability results from insufficient validation or sanitization of input data passed to SQL queries (CWE-89). Successful exploitation of this flaw allows the execution of system commands in the context of the database server or application, leading to complete remote code execution.
An attacker can gain full control over the system running Ivanti Endpoint Manager, including the ability to read, modify, or delete data and execute arbitrary system commands. Compromise of the endpoint management system can result in lateral movement throughout the organization's infrastructure.
Ivanti Endpoint Manager must be immediately updated to version EPM 2024 November Security Update or EPM 2022 SU6 November Security Update. Details are available in the vendor's security bulletin: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Ivanti Endpoint Manager in versions prior to the November 2024 security update (EPM 2024 November Security Update) and prior to EPM 2022 SU6 November Security Update
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Endpoint Manager
APPIvanti20222024< 2022
Related vulnerabilities
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia
Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina
Absolute Path Traversal w Ivanti Endpoint Manager — wyciek danych bez uwierzytelnienia