Ivanti EPM vulnerable to SQL injection, remote code execution
CVE-2024-32845

7.2HIGH

Key Information:

Vendor
Ivanti
Status
Vendor
CVE Published:
12 September 2024

Summary

An SQL injection vulnerability exists in Ivanti Endpoint Manager, allowing remote authenticated attackers with administrative privileges to execute arbitrary code on affected systems. This flaw affects versions of the software prior to the 2022 SU6 release and the updates made in September 2024. Exploiting this vulnerability could enable unauthorized actions and potentially compromise the integrity of systems running the software.

Affected Version(s)

EPM 2024 September Security Update

EPM 2022 SU6

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.