cbcvebase.

Ivanti Endpoint Manager vulnerabilities

116 known vulnerabilities affecting ivanti/endpoint_manager.

Total CVEs
116
CISA KEV
5
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH82MEDIUM24

Vulnerabilities

Page 1 of 6
CVE-2024-29824P1HIGHCVSS 8.8KEVPoCfixed in 2022v20222024-05-31
CVE-2024-29824 [HIGH] CWE-89 CVE-2024-29824: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2026-1603P1HIGHCVSS 7.5KEVPoCfixed in 2024v20242026-02-10
CVE-2026-1603 [HIGH] CWE-288 CVE-2026-1603: An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthen An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
nvd
CVE-2024-13159P1HIGHCVSS 7.5KEVPoCfixed in 2022v2022+1 more2025-01-14
CVE-2024-13159 [HIGH] CWE-36 CVE-2024-13159: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
nvd
CVE-2024-13160P1HIGHCVSS 7.5KEVPoCfixed in 2022v2022+1 more2025-01-14
CVE-2024-13160 [HIGH] CWE-36 CVE-2024-13160: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
nvd
CVE-2024-13161P1HIGHCVSS 7.5KEVPoCfixed in 2022v2022+1 more2025-01-14
CVE-2024-13161 [HIGH] CWE-36 CVE-2024-13161: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
nvd
CVE-2023-28324P2CRITICALCVSS 9.8PoC≤ 20222023-07-01
CVE-2023-28324 [CRITICAL] CWE-20 CVE-2023-28324: A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that coul A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
nvd
CVE-2024-29847P1CRITICALCVSS 9.8fixed in 2022v2022+1 more2024-09-12
CVE-2024-29847 [CRITICAL] CWE-502 CVE-2024-29847: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 Sep Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
nvd
CVE-2024-29826P2HIGHCVSS 8.8fixed in 2022v20222024-05-31
CVE-2024-29826 [HIGH] CWE-89 CVE-2024-29826: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29825P2HIGHCVSS 8.8fixed in 2022v20222024-05-31
CVE-2024-29825 [HIGH] CWE-89 CVE-2024-29825: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29823P2HIGHCVSS 8.8fixed in 2022v20222024-05-31
CVE-2024-29823 [HIGH] CWE-89 CVE-2024-29823: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-50330P1CRITICALCVSS 9.8fixed in 2022v2022+1 more2024-11-12
CVE-2024-50330 [CRITICAL] CWE-89 CVE-2024-50330: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
nvd
CVE-2024-29827P2HIGHCVSS 8.8fixed in 2022v20222024-05-31
CVE-2024-29827 [HIGH] CWE-89 CVE-2024-29827: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29822P2HIGHCVSS 8.8fixed in 2022v20222024-05-31
CVE-2024-29822 [HIGH] CWE-89 CVE-2024-29822: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-8191P2CRITICALCVSS 9.8fixed in 2022v2022+1 more2024-09-10
CVE-2024-8191 [CRITICAL] CWE-89 CVE-2024-8191: SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
nvd
CVE-2024-37397P2HIGHCVSS 8.2fixed in 2022v20222024-09-12
CVE-2024-37397 [HIGH] CWE-611 CVE-2024-37397: An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
nvd
CVE-2025-9712P2HIGHCVSS 8.8fixed in 2022v2022+1 more2025-09-09
CVE-2025-9712 [HIGH] CWE-434 CVE-2025-9712: Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 all Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
nvd
CVE-2024-34781P2HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-13
CVE-2024-34781 [HIGH] CWE-89 CVE-2024-34781: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2025-9713P2HIGHCVSS 8.8fixed in 2024v20242025-10-13
CVE-2025-9713 [HIGH] CWE-22 CVE-2025-9713: Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated at Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
nvd
CVE-2025-9872P2HIGHCVSS 8.8fixed in 2022v2022+1 more2025-09-09
CVE-2025-9872 [HIGH] CWE-434 CVE-2025-9872: Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 all Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
nvd
CVE-2024-13162P2HIGHCVSS 7.2fixed in 2022v2022+1 more2025-01-14
CVE-2024-13162 [HIGH] CWE-89 CVE-2024-13162: SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 S SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.
nvd
Ivanti Endpoint Manager vulnerabilities | cvebase