Primary

Context

Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read

Vulnerability

Patched

A SQL injection vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU4 SR1 and prior. This vulnerability allows remote authenticated attackers to read arbitrary data from the database. The issue arises from improper handling of SQL queries, which could be exploited to manipulate database commands and access sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to database information, allowing attackers to read sensitive data that could be used for further attacks or to compromise user accounts.

Remediation

Users can update to Ivanti Endpoint Manager 2024 SU5 to address this vulnerability. The update is available through the Ivanti License System (ILS).

Added: Feb 10, 2026, 4:23 PM

Updated: Feb 10, 2026, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

4.9

remediation

7.7

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

4.9

remediation

7.7

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ivanti Endpoint Manager SQL Injection Vulnerability Allowing Arbitrary Data Read

Vulnerability

Impact

Remediation

Affected Products

Ivanti Endpoint Manager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating