Ivanti Endpoint Manager 2022 Service Update 2

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Published: 2025-09-09T15:11:13.957Z
Updated: 2026-02-26T17:49:04.223Z

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Published: 2025-09-09T15:09:05.375Z
Updated: 2026-02-26T17:49:04.952Z

SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database

Published: 2025-07-08T14:54:42.789Z
Updated: 2025-07-08T15:07:12.721Z

Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.

Published: 2025-07-08T14:51:04.446Z
Updated: 2025-07-08T15:14:08.808Z

Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.

Published: 2025-07-08T14:45:44.989Z
Updated: 2025-07-08T15:54:49.209Z

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

Published: 2025-04-08T14:27:55.834Z
Updated: 2025-04-08T14:46:25.244Z

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.

Published: 2025-04-08T14:27:27.199Z
Updated: 2025-04-08T14:52:54.418Z

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.

Published: 2025-04-08T14:27:03.158Z
Updated: 2025-04-08T15:04:45.498Z

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

Published: 2025-04-08T14:26:23.423Z
Updated: 2026-02-26T18:28:39.350Z

Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers.

Published: 2025-04-08T14:25:57.827Z
Updated: 2025-04-08T15:37:26.132Z

DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.

Published: 2025-04-08T14:25:42.603Z
Updated: 2026-02-26T18:28:39.769Z

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.

Published: 2024-09-10T21:01:09.475Z
Updated: 2024-09-12T03:55:23.682Z

Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.

Published: 2024-09-10T20:59:40.339Z
Updated: 2024-09-11T13:50:36.958Z

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.

Published: 2024-09-10T20:54:02.772Z
Updated: 2024-09-11T15:20:28.646Z

Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.

Published: 2024-09-10T20:52:31.146Z
Updated: 2024-09-11T15:19:03.245Z

SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Published: 2024-09-10T20:50:24.547Z
Updated: 2024-09-12T03:55:08.946Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

Published: 2024-11-12T15:42:20.786Z
Updated: 2024-11-19T04:56:10.026Z

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Published: 2024-11-12T15:41:54.415Z
Updated: 2024-11-19T04:56:08.860Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-12T15:41:17.871Z
Updated: 2024-11-19T04:55:58.542Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-12T15:40:38.609Z
Updated: 2024-11-19T04:55:54.842Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-12T15:40:06.902Z
Updated: 2024-11-19T04:56:00.999Z

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-12T15:37:52.162Z
Updated: 2024-11-19T04:56:07.498Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Published: 2024-11-12T15:37:08.015Z
Updated: 2024-11-19T04:56:06.281Z

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Published: 2024-11-12T15:36:09.760Z
Updated: 2024-11-19T04:55:49.893Z

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Published: 2024-09-12T01:09:56.254Z
Updated: 2024-09-13T15:48:43.529Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.383Z
Updated: 2024-11-19T04:55:56.052Z

Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

Published: 2024-11-13T01:54:45.416Z
Updated: 2024-11-19T04:55:48.661Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.248Z
Updated: 2024-09-12T21:16:44.057Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.555Z
Updated: 2024-11-19T04:56:05.016Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.337Z
Updated: 2024-09-12T21:19:26.664Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.386Z
Updated: 2024-11-19T04:55:59.747Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.516Z
Updated: 2024-11-19T04:55:57.271Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.552Z
Updated: 2024-11-19T04:55:52.429Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.258Z
Updated: 2024-09-12T21:18:18.550Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.249Z
Updated: 2024-09-12T21:18:06.645Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.408Z
Updated: 2024-11-19T04:56:03.781Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.175Z
Updated: 2024-09-12T21:15:08.269Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.175Z
Updated: 2024-09-12T21:14:44.010Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.443Z
Updated: 2024-11-19T04:56:02.536Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.230Z
Updated: 2024-09-12T21:16:22.723Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.173Z
Updated: 2024-09-12T21:13:06.489Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.386Z
Updated: 2024-11-19T04:55:51.227Z

An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-09-12T01:09:56.338Z
Updated: 2024-09-12T21:20:02.605Z

SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2024-11-13T01:54:45.475Z
Updated: 2024-11-19T04:55:53.626Z

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Published: 2024-09-12T01:09:56.277Z
Updated: 2024-09-17T03:55:12.223Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.371Z
Updated: 2024-08-02T01:17:58.190Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.352Z
Updated: 2024-08-02T01:17:57.943Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.379Z
Updated: 2024-08-02T01:17:58.030Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.394Z
Updated: 2024-08-02T01:17:57.504Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.405Z
Updated: 2024-08-02T01:17:57.542Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.399Z
Updated: 2024-08-02T01:17:58.045Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.330Z
Updated: 2024-08-02T01:17:57.543Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.331Z
Updated: 2025-10-21T23:05:16.909Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.409Z
Updated: 2024-08-02T01:17:57.385Z

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Published: 2024-05-31T17:38:31.401Z
Updated: 2024-08-02T01:17:58.027Z

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

Published: 2025-01-14T17:16:17.218Z
Updated: 2026-02-26T19:09:29.342Z

Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

Published: 2025-01-14T17:16:48.419Z
Updated: 2026-02-26T19:09:29.018Z

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Published: 2025-01-14T17:17:50.470Z
Updated: 2025-01-16T21:17:15.067Z

An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.

Published: 2025-01-14T17:18:28.069Z
Updated: 2026-02-26T19:09:28.733Z

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Published: 2025-01-14T17:19:00.787Z
Updated: 2025-01-16T21:18:56.082Z

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Published: 2025-01-14T17:19:43.062Z
Updated: 2025-01-16T21:19:20.404Z

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Published: 2025-01-14T17:20:19.876Z
Updated: 2025-01-15T15:20:00.615Z

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Published: 2025-01-14T17:22:15.933Z
Updated: 2025-01-15T15:19:52.577Z

An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.

Published: 2025-01-14T17:22:49.382Z
Updated: 2026-02-26T19:09:28.454Z

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

Published: 2025-01-14T17:23:13.781Z
Updated: 2026-02-26T19:09:28.096Z

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.

Published: 2025-01-14T17:23:48.256Z
Updated: 2026-02-26T19:09:27.921Z

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Published: 2025-01-14T17:11:32.061Z
Updated: 2025-10-21T22:55:32.564Z

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Published: 2025-01-14T17:12:23.237Z
Updated: 2025-10-21T22:55:32.382Z

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Published: 2025-01-14T17:12:57.652Z
Updated: 2025-10-21T22:55:32.248Z

An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Published: 2025-01-14T17:13:29.275Z
Updated: 2026-02-26T19:09:29.804Z

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Published: 2025-01-14T16:59:32.982Z
Updated: 2026-02-26T19:09:29.972Z

Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files.

Published: 2024-12-10T18:46:01.911Z
Updated: 2024-12-10T20:44:59.599Z

An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RCE on the core server.

Published: 2024-01-09T01:33:05.875Z
Updated: 2025-06-03T14:33:22.988Z

An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access.

Published: 2023-09-21T00:00:00.000Z
Updated: 2024-09-24T16:55:31.523Z

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

Published: 2023-09-21T00:00:00.000Z
Updated: 2024-09-24T16:59:33.767Z

Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.

Published: 2023-10-18T03:52:06.581Z
Updated: 2024-09-13T15:00:03.906Z

Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information.

Published: 2023-10-18T03:52:12.988Z
Updated: 2024-09-13T14:55:27.624Z

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machines.

Published: 2023-06-30T23:40:30.788Z
Updated: 2025-05-05T16:02:45.196Z