Primary

Context

Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read from Database

Vulnerability

Patched

A SQL injection vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2022 SU8 and prior, as well as 2024 SU2 and prior. This vulnerability allows remote authenticated attackers with admin privileges to read arbitrary data from the database. The issue arises from improper input validation, enabling attackers to manipulate SQL queries and access sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, potentially including sensitive user data or application records.

Remediation

Users can upgrade to Ivanti Endpoint Manager 2024 SU3 or 2022 SU8 Security Update 1. The latest versions are available for download through the Ivanti License System.

Added: Jul 8, 2025, 5:18 PM

Updated: Jul 8, 2025, 5:18 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read from Database

Vulnerability

Impact

Remediation

Affected Products

Ivanti Endpoint Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating