CVE-2024-29826

CVSS 9.6 CRITICALEPSS 99.9%CWE-89

In short

A SQL Injection flaw in Ivanti EPM 2022 SU5 lets someone on the same network inject malicious commands into the database without logging in, potentially taking complete control of the system.

Technical detail

An unauthenticated SQL Injection vulnerability in the Core server component allows a network-adjacent attacker to manipulate SQL queries and execute arbitrary code through the database layer, achieving system compromise without authentication credentials.

Summary generated and translated by AI from the official description.

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Ivanti · EPM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024