Skip to main content

Endpoint Manager

96 CVEs product

Monthly

CVE-2026-1603 HIGH POC KEV THREAT Act Now

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet.

Ivanti Authentication Bypass Endpoint Manager
NVD
CVSS 3.1
8.6
EPSS
43.9%
Threat
6.0
CVE-2026-1602 MEDIUM This Month

Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-10918 HIGH This Month

Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-9872 HIGH This Month

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2025-9712 HIGH This Month

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2025-7037 HIGH This Week

SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database

Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-6996 HIGH This Week

A security vulnerability in the agent of Ivanti Endpoint Manager (CVSS 8.4) that allows a local authenticated attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-6995 HIGH This Week

A security vulnerability in the agent of Ivanti Endpoint Manager (CVSS 8.4) that allows a local authenticated attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-22466 HIGH This Week

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XSS Endpoint Manager
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-22465 MEDIUM This Month

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XSS Endpoint Manager
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-22464 MEDIUM This Month

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-22461 HIGH This Week

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SQLi Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
4.1%
CVE-2025-22459 MEDIUM This Month

Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-22458 HIGH This Month

DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-13172 HIGH This Month

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ivanti Jwt Attack Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2024-13171 HIGH This Month

Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 30.3% and no vendor patch available.

RCE File Upload Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
30.3%
CVE-2024-13170 HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Denial Of Service Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-13169 HIGH This Month

An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-13168 HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Denial Of Service Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-13167 HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Denial Of Service Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-13166 HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Denial Of Service Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2024-13165 HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Denial Of Service Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-13164 HIGH This Month

An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-13163 HIGH This Month

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.

RCE Deserialization Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
26.5%
CVE-2024-13162 HIGH This Month

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 43.8% and no vendor patch available.

RCE Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
43.8%
CVE-2024-13161 CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosure, completing the triple path traversal set in the January 2025 security update.

Ivanti Path Traversal Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
92.5%
Threat
7.7
CVE-2024-13160 CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosure, part of the triple path traversal affecting EPM's January 2025 security update.

Ivanti Path Traversal Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
93.5%
Threat
7.8
CVE-2024-13159 CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to leak sensitive information from the EPM server, one of three related Ivanti EPM path traversal CVEs.

Ivanti Path Traversal Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2024-13158 HIGH PATCH This Month

An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 21.5%.

RCE Ivanti Path Traversal Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
21.5%
CVE-2024-10811 CRITICAL POC Act Now

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti Path Traversal Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2024-10256 HIGH This Week

Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager Neurons Agent Platform Neurons For Patch Management +3
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-37376 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2024-34787 HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
17.9%
CVE-2024-34784 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2024-34782 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2024-34781 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
67.7%
CVE-2024-34780 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2024-32847 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2024-32844 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2024-32841 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
3.3%
CVE-2024-32839 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
3.3%
CVE-2024-50330 CRITICAL Act Now

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
40.5%
CVE-2024-50329 HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-50328 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2024-50327 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-50326 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
25.8%
CVE-2024-50324 HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
18.2%
CVE-2024-50323 HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2024-50322 HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
6.0%
CVE-2024-37397 HIGH This Week

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Endpoint Manager
NVD
CVSS 3.1
8.2
EPSS
59.3%
CVE-2024-34785 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
25.4%
CVE-2024-34783 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
43.4%
CVE-2024-34779 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
24.0%
CVE-2024-32848 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
43.4%
CVE-2024-32846 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
2.1%
CVE-2024-32845 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
24.0%
CVE-2024-32843 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
2.1%
CVE-2024-32842 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
2.1%
CVE-2024-32840 HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
7.2
EPSS
25.4%
CVE-2024-29847 CRITICAL Act Now

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
52.9%
CVE-2024-8441 MEDIUM This Month

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ivanti Endpoint Manager
NVD
CVSS 3.1
6.7
EPSS
0.4%
CVE-2024-8322 HIGH This Week

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-8321 HIGH This Week

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Endpoint Manager
NVD
CVSS 3.1
8.6
EPSS
1.8%
CVE-2024-8320 MEDIUM This Month

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Endpoint Manager
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2024-8191 CRITICAL Act Now

SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
19.6%
CVE-2024-37381 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.0
EPSS
3.1%
CVE-2024-29846 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.0
EPSS
8.5%
CVE-2024-29830 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.0
EPSS
8.5%
CVE-2024-29829 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.0
EPSS
8.2%
CVE-2024-29828 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.0
EPSS
8.5%
CVE-2024-29827 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
71.7%
CVE-2024-29826 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
99.9%
CVE-2024-29825 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
99.9%
CVE-2024-29824 HIGH POC KEV THREAT Act Now

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
100.0%
CVE-2024-29823 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
99.9%
CVE-2024-29822 HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
64.4%
CVE-2024-22058 HIGH This Week

A buffer overflow allows a low privilege user on the local machine that has the EPM Agent installed to execute arbitrary code with elevated permissions in Ivanti EPM 2021.1 and older. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow RCE Ivanti Endpoint Manager
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2023-39336 HIGH This Week

An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-35084 CRITICAL Act Now

Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti Deserialization Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2023-35083 MEDIUM This Month

Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Endpoint Manager
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2023-38344 MEDIUM This Month

An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-38343 HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE Endpoint Manager
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-35077 HIGH This Week

An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti Microsoft Endpoint Manager
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-28324 CRITICAL POC THREAT Emergency

A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
12.9%
CVE-2023-28323 CRITICAL Act Now

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2022-35259 HIGH This Week

XML Injection with Endpoint Manager 2022. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Endpoint Manager
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2022-27773 CRITICAL Act Now

A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2022-30121 MEDIUM This Month

The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Endpoint Manager
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2020-13773 MEDIUM POC This Month

Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ivanti Endpoint Manager
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2020-13772 MEDIUM POC This Month

In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti Information Disclosure Endpoint Manager
NVD
CVSS 3.1
5.3
EPSS
2.3%
EPSS 44% 6.0 CVSS 8.6
HIGH POC KEV THREAT Act Now

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet.

Ivanti Authentication Bypass Endpoint Manager
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
NVD
EPSS 0% CVSS 7.1
HIGH This Month

Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
EPSS 1% CVSS 8.8
HIGH This Month

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Ivanti +1
NVD
EPSS 1% CVSS 8.8
HIGH This Month

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Ivanti +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database

Ivanti SQLi Endpoint Manager
NVD
EPSS 0% CVSS 8.4
HIGH This Week

A security vulnerability in the agent of Ivanti Endpoint Manager (CVSS 8.4) that allows a local authenticated attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Ivanti Endpoint Manager
NVD
EPSS 0% CVSS 8.4
HIGH This Week

A security vulnerability in the agent of Ivanti Endpoint Manager (CVSS 8.4) that allows a local authenticated attacker. High severity vulnerability requiring prompt remediation.

Information Disclosure Ivanti Endpoint Manager
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XSS Endpoint Manager
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XSS Endpoint Manager
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
EPSS 4% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SQLi Ivanti +1
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
EPSS 0% CVSS 7.8
HIGH This Month

DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
EPSS 1% CVSS 7.8
HIGH This Month

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Ivanti Jwt Attack +1
NVD
EPSS 30% CVSS 7.8
HIGH This Month

Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 30.3% and no vendor patch available.

RCE File Upload Ivanti +1
NVD
EPSS 2% CVSS 7.5
HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Ivanti +1
NVD
EPSS 2% CVSS 7.5
HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 2% CVSS 7.5
HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 2% CVSS 7.5
HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 2% CVSS 7.5
HIGH This Month

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ivanti Endpoint Manager
NVD
EPSS 26% CVSS 7.8
HIGH This Month

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 26.5% and no vendor patch available.

RCE Deserialization Ivanti +1
NVD
EPSS 44% CVSS 7.2
HIGH This Month

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 43.8% and no vendor patch available.

RCE Ivanti SQLi +1
NVD
EPSS 93% 7.7 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosure, completing the triple path traversal set in the January 2025 security update.

Ivanti Path Traversal Endpoint Manager
NVD
EPSS 93% 7.8 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosure, part of the triple path traversal affecting EPM's January 2025 security update.

Ivanti Path Traversal Endpoint Manager
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to leak sensitive information from the EPM server, one of three related Ivanti EPM path traversal CVEs.

Ivanti Path Traversal Endpoint Manager
NVD
EPSS 21% CVSS 7.2
HIGH PATCH This Month

An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 21.5%.

RCE Ivanti Path Traversal +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti Path Traversal Endpoint Manager
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager +5
NVD
EPSS 3% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 18% CVSS 7.8
HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 68% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 3% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 3% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 3% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 41% CVSS 9.8
CRITICAL Act Now

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 1% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 26% CVSS 7.2
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 18% CVSS 7.2
HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti +1
NVD
EPSS 1% CVSS 7.8
HIGH This Week

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 6% CVSS 7.8
HIGH This Week

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ivanti +1
NVD
EPSS 59% CVSS 8.2
HIGH This Week

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti XXE Endpoint Manager
NVD
EPSS 25% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 43% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 24% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 43% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 24% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 2% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 25% CVSS 7.2
HIGH This Week

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 53% CVSS 9.8
CRITICAL Act Now

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ivanti Endpoint Manager
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD
EPSS 2% CVSS 8.6
HIGH This Week

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Endpoint Manager
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ivanti Endpoint Manager
NVD
EPSS 20% CVSS 9.8
CRITICAL Act Now

SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 3% CVSS 8.0
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 8% CVSS 8.0
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 8% CVSS 8.0
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 8% CVSS 8.0
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 8% CVSS 8.0
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 72% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 100% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 100% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 100% CVSS 8.8
HIGH POC KEV THREAT Act Now

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi RCE Ivanti +1
NVD GitHub
EPSS 100% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 64% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Ivanti +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A buffer overflow allows a low privilege user on the local machine that has the EPM Agent installed to execute arbitrary code with elevated permissions in Ivanti EPM 2021.1 and older. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ivanti SQLi Endpoint Manager
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti Deserialization Endpoint Manager
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Endpoint Manager
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ivanti Endpoint Manager
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti SSRF XXE +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Ivanti +2
NVD
EPSS 13% CVSS 9.8
CRITICAL POC THREAT Emergency

A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation RCE Ivanti +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Endpoint Manager
NVD
EPSS 1% CVSS 7.8
HIGH This Week

XML Injection with Endpoint Manager 2022. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Endpoint Manager
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ivanti Privilege Escalation Endpoint Manager
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Endpoint Manager
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ivanti Endpoint Manager
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ivanti Information Disclosure Endpoint Manager
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy