CVE-2024-29823

CVSS 9.6 CRITICALEPSS 99.9%CWE-89

In short

A flaw in Ivanti EPM 2022 SU5 and earlier versions allows someone on the same network to inject malicious SQL commands without logging in, potentially taking complete control of the server.

Technical detail

Unauthenticated SQL Injection vulnerability in Ivanti EPM Core server (CWE-89) allows network-adjacent attackers to execute arbitrary SQL queries and subsequently arbitrary code. No authentication required; exploitation requires network access to the affected system.

Summary generated and translated by AI from the official description.

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Ivanti · EPM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024