Ivanti Endpoint Manager vulnerabilities
116 known vulnerabilities affecting ivanti/endpoint_manager.
Total CVEs
116
CISA KEV
5
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH82MEDIUM24
Vulnerabilities
Page 2 of 6
CVE-2020-13774P2CRITICALCVSS 9.9v2019.1v2020.12020-11-12
CVE-2020-13774 [CRITICAL] CWE-434 CVE-2020-13774: An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and
An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave
nvd
CVE-2023-28323P2CRITICALCVSS 9.8fixed in 2022v20222023-07-01
CVE-2023-28323 [CRITICAL] CWE-502 CVE-2023-28323: A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an una
A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machine
nvd
CVE-2024-34783P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-34783 [HIGH] CWE-89 CVE-2024-34783: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-32848P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-32848 [HIGH] CWE-89 CVE-2024-32848: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2023-35084P2CRITICALCVSS 9.8fixed in 2022v20222023-10-18
CVE-2023-35084 [CRITICAL] CWE-502 CVE-2023-35084: Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti En
Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.
nvd
CVE-2023-39336P2HIGHCVSS 8.8fixed in 2022v20222024-01-09
CVE-2023-39336 [HIGH] CWE-89 CVE-2023-39336: An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 al
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RCE on the core server.
nvd
CVE-2025-13659P2HIGHCVSS 8.8fixed in 2024v20242025-12-09
CVE-2025-13659 [HIGH] CWE-913 CVE-2025-13659: Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.
nvd
CVE-2026-8111P2HIGHCVSS 8.8≤ 2022v20242026-05-12
CVE-2026-8111 [HIGH] CWE-89 CVE-2026-8111: SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote
SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
nvd
CVE-2024-50326P2HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-12
CVE-2024-50326 [HIGH] CWE-89 CVE-2024-50326: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-8321P2HIGHCVSS 8.6fixed in 2022v2022+1 more2024-09-10
CVE-2024-8321 [HIGH] CWE-306 CVE-2024-8321: Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September upd
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.
nvd
CVE-2024-34785P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-34785 [HIGH] CWE-89 CVE-2024-34785: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-32840P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-32840 [HIGH] CWE-89 CVE-2024-32840: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2020-13769P2HIGHCVSS 8.8≤ 2020.12020-11-16
CVE-2020-13769 [HIGH] CWE-89 CVE-2020-13769: LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecont
LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.
nvd
CVE-2024-32845P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-32845 [HIGH] CWE-89 CVE-2024-32845: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-34779P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-09-12
CVE-2024-34779 [HIGH] CWE-89 CVE-2024-34779: An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a re
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-50324P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-12
CVE-2024-50324 [HIGH] CWE-22 CVE-2024-50324: Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2019-10651P3CRITICALCVSS 9.8v2017.3v2018.1+1 more2019-07-11
CVE-2019-10651 [CRITICAL] CVE-2019-10651: An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 20
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
nvd
CVE-2022-27773P3CRITICALCVSS 9.8fixed in 2021.1v2021.1+1 more2022-12-05
CVE-2022-27773 [CRITICAL] CWE-276 CVE-2022-27773: A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that all
A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.
nvd
CVE-2024-50329P3HIGHCVSS 8.8fixed in 2022v2022+1 more2024-11-12
CVE-2024-50329 [HIGH] CWE-22 CVE-2024-50329: Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
nvd
CVE-2024-8322P3HIGHCVSS 8.8fixed in 2022v2022+1 more2024-09-10
CVE-2024-8322 [HIGH] CWE-1390 CVE-2024-8322: Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
nvd