Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read from Database

A SQL injection vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU3 SR1 and prior, as well as in the 2022 version prior to SU8 SR2. This vulnerability allows remote authenticated attackers to read arbitrary data from the database. The issue arises from improper handling of SQL queries, which could be exploited to manipulate database commands and access sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, potentially allowing attackers to read sensitive data that could be misused or disclosed.

Remediation

EPM administrators can remove the Reporting database user from their configuration to address this vulnerability, but this will disable reporting functionality. For those running Ivanti EPM 2024 SU3 SR1, the risk is significantly reduced due to important security enhancements. Customers using version 2022 SU8 SR2 or prior should upgrade to the latest version of Ivanti EPM 2024.