cbcvebase.
CVE-2023-39336
published 2024-01-09

CVE-2023-39336: An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to…

PriorityP262high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
9.97%
95.0th percentile
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RCE on the core server.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit targets Ivanti EPM via unauthenticated SQL injection over the internal network — monitor for anomalous SQL query traffic or unexpected database output from EPM core server processes
  • When the core server is configured to use SQL Express, successful exploitation may result in RCE on the core server — monitor for unexpected process spawning from the Ivanti EPM core server process, especially under SQL Express configurations
  • Exploitation can lead to attacker control over machines running the EPM agent — monitor for unexpected lateral movement or configuration changes pushed to EPM-enrolled endpoints following core server compromise
  • Vulnerability is exploitable in low-complexity attacks requiring no privileges or user interaction from an internal network position — prioritize detection of unauthenticated internal requests to EPM services
  • ·RCE on the core server only occurs under the specific condition that the core server is configured to use SQL Express — standard SQL Server configurations may not be directly vulnerable to RCE

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.6CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.