Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read from Database

A SQL injection vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU3 SR1 and prior, as well as in the 2022 version through SU8 SR2. This vulnerability allows remote authenticated attackers to read arbitrary data from the database. The issue arises from insufficient input validation, which enables attackers to manipulate SQL queries and access sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, potentially allowing attackers to read sensitive data that could be used for further attacks or to compromise the integrity of the application.

Remediation

EPM administrators can remove the Reporting database user from their configuration to address this vulnerability, but this will disable reporting functionality. For those running Ivanti EPM 2024 SU3 SR1, the risk is significantly reduced due to important security enhancements. Customers using version 2022 SU8 SR2 or prior should upgrade to the latest version of Ivanti EPM 2024.