CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-50330

CVSS 9.8v3.1pub. 2024-11-12upd. 2025-04-23

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

🤖 AI Analysis
How it works

An attacker sends a crafted network request containing a malicious SQL payload to a vulnerable Ivanti Endpoint Manager endpoint without requiring any credentials. The vulnerability results from insufficient validation or sanitization of input data passed to SQL queries (CWE-89). Successful exploitation of this flaw allows the execution of system commands in the context of the database server or application, leading to complete remote code execution.

Impact

An attacker can gain full control over the system running Ivanti Endpoint Manager, including the ability to read, modify, or delete data and execute arbitrary system commands. Compromise of the endpoint management system can result in lateral movement throughout the organization's infrastructure.

Mitigation & patch

Ivanti Endpoint Manager must be immediately updated to version EPM 2024 November Security Update or EPM 2022 SU6 November Security Update. Details are available in the vendor's security bulletin: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022

Who is affected

Ivanti Endpoint Manager in versions prior to the November 2024 security update (EPM 2024 November Security Update) and prior to EPM 2022 SU6 November Security Update

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ivanti Endpoint Manager

    APP
    Ivanti
    20222024< 2022
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCESQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2024-13161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia

CVE-2024-13160CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia

CVE-2024-13159CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia

CVE-2025-10573CRITICAL9.6PL ✓ten sam produkt

Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina

CVE-2024-10811CRITICAL9.8PL ✓ten sam produkt

Absolute Path Traversal w Ivanti Endpoint Manager — wyciek danych bez uwierzytelnienia