Skip to main content

Ivanti Endpoint Manager CVE-2026-8111

| EUVDEUVD-2026-29491 HIGH
SQL Injection (CWE-89)
2026-05-12 ivanti GHSA-m3v8-pvh9-qg2r
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 15:32 vuln.today
CVE Published
May 12, 2026 - 14:33 nvd
HIGH 8.8

DescriptionCVE.org

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

AnalysisAI

SQL injection in Ivanti Endpoint Manager web console enables authenticated remote attackers to execute arbitrary code on the server. Affects all versions prior to 2024 SU6. Attack requires only low-privilege authenticated access (CVSS PR:L) with low complexity (AC:L), making exploitation straightforward for any authenticated user. Ivanti has released patched version 2024 SU6 per vendor advisory dated May 2026. No CISA KEV listing or public exploit code identified at time of analysis, indicating exploitation not yet confirmed in the wild despite high severity score.

Technical ContextAI

The vulnerability resides in the web console component of Ivanti Endpoint Manager (EPM), an enterprise systems management platform for provisioning, managing, and securing devices. The affected CPE string (cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*) indicates all versions of the core EPM product prior to 2024 SU6 are vulnerable. The root cause is CWE-89 (SQL Injection), where user-supplied input to the web console is improperly sanitized before being incorporated into SQL queries. This allows attackers to inject malicious SQL commands that the backend database executes with elevated privileges. Because EPM web consoles typically run with administrative database access to manage endpoint configurations and policies, successful SQL injection can be chained to achieve remote code execution on the underlying server through database stored procedures, xp_cmdshell (SQL Server), or similar mechanisms depending on the database backend implementation.

RemediationAI

Upgrade Ivanti Endpoint Manager to version 2024 SU6 or later per vendor advisory at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026?language=en_US. Ivanti typically distributes SU (Service Update) releases through the EPM administrative console or direct download portal for licensed customers. If immediate patching is not feasible, implement compensating controls: (1) Restrict web console access to specific IP ranges via firewall rules or reverse proxy ACLs, limiting exposure to trusted management networks only-trade-off is reduced remote administration capability for IT staff; (2) Disable or remove low-privilege user accounts from web console access, restricting to only administrator-level accounts with monitored credentials-side effect is operational friction for delegated administration workflows; (3) Deploy web application firewall (WAF) with SQL injection signature detection in blocking mode in front of EPM web console-may cause false positives requiring tuning for legitimate EPM queries containing SQL-like syntax in device filter expressions or report parameters; (4) Enable comprehensive SQL query logging and monitor for anomalous injection patterns (UNION, semicolon-delimited multi-statement queries, sleep/waitfor commands)-generates significant log volume requiring SIEM integration.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-8111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy