Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-22461

Summary
Assigner-ivanti
Assigner Org ID-3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Published At-08 Apr, 2025 | 14:26
Updated At-26 Feb, 2026 | 18:28
Rejected At-
Credits

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ivanti
Assigner Org ID:3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Published At:08 Apr, 2025 | 14:26
Updated At:26 Feb, 2026 | 18:28
Rejected At:
▼CVE Numbering Authority (CNA)

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

Affected Products
Vendor
Ivanti SoftwareIvanti
Product
Endpoint Manager
Default Status
affected
Versions
Unaffected
  • 2024 SU1 (custom)
  • 2022 SU7 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66 SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66 SQL Injection
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6
N/A
Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Published At:08 Apr, 2025 | 15:15
Updated At:16 May, 2025 | 14:00

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Ivanti Software
ivanti
>>endpoint_manager>>Versions before 2022(exclusive)
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su6:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2024
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primary3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CWE ID: CWE-89
Type: Primary
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU63c1d8aa1-5a33-4ea4-8992-aadd6440af75
Vendor Advisory
Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1237Records found
CVE-2023-35081
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-63.32% / 99.10%
||
7 Day CHG~0.00%
Published-03 Aug, 2023 | 17:00
Updated-14 Jan, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-08-21||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEPMMEndpoint Manager Mobile (EPMM)
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-6771
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-14.81% / 96.26%
||
7 Day CHG~0.00%
Published-08 Jul, 2025 | 15:38
Updated-11 Jul, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection in Ivanti Endpoint Manager

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-3540
Matching Score-8
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-8
Assigner-Rapid7, Inc.
CVSS Score-6.5||MEDIUM
EPSS-3.31% / 86.98%
||
7 Day CHG~0.00%
Published-22 Jul, 2021 | 18:27
Updated-17 Sep, 2024 | 00:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ivanti MobileIron Core clish Restricted Shell Escape via Argument Injection

By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.

Action-Not Available
Vendor-Ivanti Software
Product-mobileironMobileIron Core
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2025-6770
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-12.31% / 95.68%
||
7 Day CHG~0.00%
Published-08 Jul, 2025 | 15:02
Updated-11 Jul, 2025 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection in Ivanti Endpoint Manager

OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8190
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-88.95% / 99.76%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 20:33
Updated-24 Oct, 2025 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-04||As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive future security updates.

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Action-Not Available
Vendor-Ivanti Software
Product-cloud_services_applianceCSA (Cloud Services Appliance)endpoint_manager_cloud_services_applianceCloud Services Appliance
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-22934
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-4.67% / 90.60%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 18:38
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2021-22935
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-2.10% / 79.35%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 18:38
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-8219
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-2.22% / 80.45%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 12:53
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_policy_securepolicy_securepulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-280
Improper Handling of Insufficient Permissions or Privileges
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-8260
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-96.48% / 99.87%
||
7 Day CHG~0.00%
Published-28 Oct, 2020 | 12:47
Updated-30 Oct, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

Action-Not Available
Vendor-n/aIvanti Software
Product-connect_securePulse Connect Secure / Pulse Policy SecurePulse Connect Secure
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-8218
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-32.74% / 98.13%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 12:53
Updated-30 Oct, 2025 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-07||Apply updates per vendor instructions.

A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-policy_secureconnect_securepulse_policy_securePulse Connect SecurePulse Connect Secure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-8243
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-90.76% / 99.79%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 13:44
Updated-30 Oct, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

Action-Not Available
Vendor-n/aIvanti Software
Product-policy_secureconnect_securePulse Connect SecrePulse Connect Secure
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-50324
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-18.18% / 96.84%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 15:37
Updated-19 Nov, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Managerendpoint_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-44720
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.30% / 81.06%
||
7 Day CHG~0.00%
Published-11 Aug, 2022 | 15:49
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securen/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-22900
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-14.15% / 96.11%
||
7 Day CHG~0.00%
Published-27 May, 2021 | 11:15
Updated-03 Nov, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Action-Not Available
Vendor-n/aPulse SecureIvanti Software
Product-connect_securepulse_connect_securePulse Secure SecurePulse Connect Secure
CWE ID-CWE-669
Incorrect Resource Transfer Between Spheres
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-22937
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-7.83% / 93.92%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 18:38
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2021-22938
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-2.10% / 79.35%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 18:38
Updated-03 Aug, 2024 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-13158
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-2.75% / 84.33%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 17:13
Updated-26 Feb, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-426
Untrusted Search Path
CVE-2024-11633
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-1.70% / 74.36%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 18:47
Updated-17 Jan, 2025 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Action-Not Available
Vendor-Ivanti Software
Product-connect_secureConnect Secure
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2024-11006
Matching Score-8
Assigner-Ivanti
ShareView Details
Matching Score-8
Assigner-Ivanti
CVSS Score-9.1||CRITICAL
EPSS-1.65% / 73.54%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 16:06
Updated-17 Jan, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_securePolicy SecureConnect Securepolicy_secureconnect_secure
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-62385
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 50.27%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62383
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.76% / 50.46%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62387
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.42%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62391
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 50.28%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62392
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 50.30%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:10
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62388
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 50.30%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62389
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.45%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62386
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.75% / 50.28%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-13769
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.64% / 83.62%
||
7 Day CHG~0.00%
Published-16 Nov, 2020 | 15:28
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.

Action-Not Available
Vendor-n/aIvanti Software
Product-endpoint_managern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-8111
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-0.88% / 54.56%
||
7 Day CHG+0.02%
Published-12 May, 2026 | 14:33
Updated-13 May, 2026 | 03:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62384
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.76% / 50.46%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:13
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62390
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-1.58% / 72.45%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:10
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-12374
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-2.63% / 83.60%
||
7 Day CHG~0.00%
Published-03 Jun, 2019 | 19:26
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll.

Action-Not Available
Vendor-n/aIvanti Software
Product-landesk_management_suiten/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36975
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-9.1||CRITICAL
EPSS-6.53% / 92.93%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36979
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-6.53% / 92.93%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36972
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-9.1||CRITICAL
EPSS-6.53% / 92.93%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36973
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-9.1||CRITICAL
EPSS-6.02% / 92.41%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-36976
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-9.1||CRITICAL
EPSS-6.53% / 92.93%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-1602
Matching Score-6
Assigner-Ivanti
ShareView Details
Matching Score-6
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.69% / 47.85%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 15:07
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-37381
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.4||HIGH
EPSS-3.14% / 86.25%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 05:43
Updated-10 Jul, 2025 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-34780
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-1.67% / 73.79%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-19 Nov, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-EPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32841
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-3.30% / 86.96%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-19 Nov, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-EPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-32839
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-3.30% / 86.96%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 01:54
Updated-19 Nov, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-EPMepm
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29830
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.4||HIGH
EPSS-8.48% / 94.34%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29823
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-9.6||CRITICAL
EPSS-99.86% / 99.96%
||
7 Day CHG-0.02%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29825
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-9.6||CRITICAL
EPSS-99.88% / 99.96%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29846
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.4||HIGH
EPSS-8.48% / 94.34%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29824
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-9.6||CRITICAL
EPSS-99.95% / 99.97%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-30 Oct, 2025 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-23||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_managerEndpoint Manager (EPM)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29828
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.4||HIGH
EPSS-8.48% / 94.34%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29827
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-9.6||CRITICAL
EPSS-71.69% / 99.34%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-29829
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.4||HIGH
EPSS-8.23% / 94.18%
||
7 Day CHG~0.00%
Published-31 May, 2024 | 17:38
Updated-03 Oct, 2024 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEPMendpoint_manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 24
  • 25
  • Next
Details not found