Ivanti EPM vulnerable to SQL injection, remote code execution
CVE-2024-32845
7.2HIGH
Summary
An SQL injection vulnerability exists in Ivanti Endpoint Manager, allowing remote authenticated attackers with administrative privileges to execute arbitrary code on affected systems. This flaw affects versions of the software prior to the 2022 SU6 release and the updates made in September 2024. Exploiting this vulnerability could enable unauthorized actions and potentially compromise the integrity of systems running the software.
Affected Version(s)
EPM 2024 September Security Update
EPM 2022 SU6
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database