CVE-2024-29825

CVSS 9.6 CRITICALEPSS 99.9%CWE-89

In short

A security flaw in Ivanti EPM 2022 SU5 and earlier versions allows someone on the same network to inject malicious SQL commands without logging in, potentially taking complete control of the system.

Technical detail

An unauthenticated SQL injection vulnerability in the Core server component permits an attacker within the network perimeter to execute arbitrary SQL queries, escalating to remote code execution. The vulnerability affects Ivanti EPM 2022 SU5 and prior versions without authentication requirements.

Summary generated and translated by AI from the official description.

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Ivanti · EPM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024