Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Ivanti

Source -

CNACISA

BOS Name -

Ivanti Software

CNA CVEs -

365

ADP CVEs -

0

CISA CVEs -

34

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
375Vulnerabilities found
CVE-2026-9614
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-0.41% / 61.49%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 17:50
Updated-02 Jun, 2026 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

Action-Not Available
Vendor-Ivanti Software
Product-Neurons for ITSM (Cloud)Neurons for ITSM (On-Premises)
CWE ID-CWE-284
Improper Access Control
CVE-2026-5787
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.9||HIGH
EPSS-0.06% / 18.63%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 15:36
Updated-08 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-5788
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7||HIGH
EPSS-0.25% / 48.71%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 15:29
Updated-07 May, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-284
Improper Access Control
CVE-2026-7821
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.4||HIGH
EPSS-0.06% / 18.63%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 15:26
Updated-07 May, 2026 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-6973
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-5.12% / 90.02%
||
7 Day CHG+0.21%
Published-07 May, 2026 | 15:21
Updated-08 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-05-10||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager MobileEndpoint Manager Mobile (EPMM)
CWE ID-CWE-20
Improper Input Validation
CVE-2026-5786
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-0.40% / 60.70%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 15:18
Updated-08 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-284
Improper Access Control
CVE-2026-4914
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 23.86%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 14:15
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-Neurons for ITSM (Cloud)Neurons for ITSM (On-Premise)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-4913
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.7||MEDIUM
EPSS-0.13% / 31.34%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 14:10
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.

Action-Not Available
Vendor-Ivanti Software
Product-Neurons for ITSM (Cloud)Neurons for ITSM (On-Premise)
CWE ID-CWE-424
Improper Protection of Alternate Path
CVE-2026-3483
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.07% / 21.45%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 14:19
Updated-12 Mar, 2026 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.

Action-Not Available
Vendor-Ivanti Software
Product-desktop_\&_server_managementDesktop and Server Management
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2026-1603
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.6||HIGH
EPSS-58.92% / 98.26%
||
7 Day CHG+3.05%
Published-10 Feb, 2026 | 15:09
Updated-10 Mar, 2026 | 13:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-03-23||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager Endpoint Manager (EPM)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-1602
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 42.93%
||
7 Day CHG~0.00%
Published-10 Feb, 2026 | 15:07
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-1340
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-9.8||CRITICAL
EPSS-69.72% / 98.68%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 21:33
Updated-09 Apr, 2026 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-04-11||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager MobileEndpoint Manager Mobile (EPMM)
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-1281
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-9.8||CRITICAL
EPSS-81.59% / 99.20%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 21:31
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-02-01||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager MobileEndpoint Manager Mobile (EPMM)
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-13662
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.03% / 8.62%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 16:05
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2025-13661
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.1||HIGH
EPSS-1.25% / 79.70%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 16:01
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-13659
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-1.17% / 79.02%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 15:59
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-913
Improper Control of Dynamically-Managed Code Resources
CVE-2025-10573
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-9.6||CRITICAL
EPSS-0.06% / 18.58%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 15:55
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-10918
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.1||HIGH
EPSS-0.06% / 19.78%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 15:31
Updated-17 Nov, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2025-10986
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-4.7||MEDIUM
EPSS-0.73% / 73.04%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 14:22
Updated-15 Oct, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-10985
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-9.23% / 92.87%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 14:20
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10243
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-9.23% / 92.87%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 14:17
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-10242
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.2||HIGH
EPSS-9.23% / 92.87%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 14:14
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-62384
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:13
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62386
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62383
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62391
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62385
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:12
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62387
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 59.05%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62388
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62389
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 59.05%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:11
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62390
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 59.05%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:10
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-62392
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:10
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-11623
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 56.92%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:09
Updated-10 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-9713
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-3.50% / 87.84%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:08
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-11622
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.8||HIGH
EPSS-0.18% / 38.98%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 21:07
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-55144
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.4||MEDIUM
EPSS-1.49% / 81.42%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:55
Updated-24 Sep, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayNeurons for Secure AccessPolicy Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-55143
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 7.82%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:52
Updated-24 Sep, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayNeurons for Secure AccessPolicy Secure
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-55142
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-3.84% / 88.41%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:49
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-55141
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-3.84% / 88.41%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:45
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-55139
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-6.8||MEDIUM
EPSS-0.77% / 73.90%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:41
Updated-24 Sep, 2025 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to enumerate internal services.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayNeurons for Secure AccessPolicy Secure
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-55148
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-7.6||HIGH
EPSS-2.78% / 86.34%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:37
Updated-24 Sep, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayNeurons for Secure AccessPolicy Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-55147
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-0.35% / 57.82%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:32
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute sensitive actions on behalf of the victim user. User interaction is required

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-55146
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-4.9||MEDIUM
EPSS-1.02% / 77.60%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:28
Updated-24 Sep, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayNeurons for Secure AccessPolicy Secure
CWE ID-CWE-252
Unchecked Return Value
CVE-2025-55145
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.9||HIGH
EPSS-0.57% / 68.98%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:22
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing HTML5 connections.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayPolicy SecureZTA GatewayNeurons for Secure AccessConnect Secure 22.7R2.9
CWE ID-CWE-862
Missing Authorization
CVE-2025-8711
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.4||MEDIUM
EPSS-0.10% / 27.41%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:17
Updated-24 Sep, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute limited actions on behalf of the victim user. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecureZTA GatewayPolicy SecureNeurons for Secure
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-8712
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.4||MEDIUM
EPSS-0.89% / 75.96%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:12
Updated-24 Sep, 2025 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayZTA GatewayConnect Secure beforeNeurons for Secure AccessPolicy Secure
CWE ID-CWE-862
Missing Authorization
CVE-2025-9872
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-2.58% / 85.87%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:11
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-9712
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-8.8||HIGH
EPSS-2.80% / 86.41%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 15:09
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_managerEndpoint Manager
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-5468
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-5.5||MEDIUM
EPSS-0.08% / 23.71%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 15:05
Updated-23 Sep, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecurePolicy SecureZTA GatewayNeurons for Secure Access
CWE ID-CWE-61
UNIX Symbolic Link (Symlink) Following
CVE-2025-5466
Assigner-Ivanti
ShareView Details
Assigner-Ivanti
CVSS Score-4.9||MEDIUM
EPSS-1.04% / 77.76%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 15:00
Updated-23 Sep, 2025 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service

Action-Not Available
Vendor-Ivanti Software
Product-connect_securepolicy_secureneurons_for_secure_accesszero_trust_access_gatewayConnect SecurePolicy SecureZTA GatewayNeurons for Secure Access
CWE ID-CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next