cbcvebase.

Ivanti Endpoint Manager vulnerabilities

116 known vulnerabilities affecting ivanti/endpoint_manager.

Total CVEs
116
CISA KEV
5
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH82MEDIUM24

Vulnerabilities

Page 3 of 6
CVE-2024-13171P3HIGHCVSS 7.8fixed in 2022v2022+1 more2025-01-14
CVE-2024-13171 [HIGH] CWE-434 CVE-2024-13171: Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
nvd
CVE-2024-34787P3HIGHCVSS 7.8fixed in 2022v2022+1 more2024-11-13
CVE-2024-34787 [HIGH] CWE-22 CVE-2024-34787: Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
nvd
CVE-2025-22466P3CRITICALCVSS 9.6fixed in 2022v2022+1 more2025-04-08
CVE-2025-22466 [CRITICAL] CWE-79 CVE-2025-22466: Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
nvd
CVE-2024-29830P3HIGHCVSS 8.0fixed in 2022v20222024-05-31
CVE-2024-29830 [HIGH] CWE-89 CVE-2024-29830: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29828P3HIGHCVSS 8.0fixed in 2022v20222024-05-31
CVE-2024-29828 [HIGH] CWE-89 CVE-2024-29828: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29846P3HIGHCVSS 8.0fixed in 2022v20222024-05-31
CVE-2024-29846 [HIGH] CWE-89 CVE-2024-29846: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2024-29829P3HIGHCVSS 8.0fixed in 2022v20222024-05-31
CVE-2024-29829 [HIGH] CWE-89 CVE-2024-29829: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2025-13661P3HIGHCVSS 8.0fixed in 2024v20242025-12-09
CVE-2025-13661 [HIGH] CWE-22 CVE-2025-13661: Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticate Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.
nvd
CVE-2017-11463P3HIGHCVSS 8.8v2016.4v2017.1+1 more2017-12-11
CVE-2017-11463 [HIGH] CWE-275 CVE-2017-11463: In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Un In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and
nvd
CVE-2025-62390P3MEDIUMCVSS 6.5fixed in 2024v20242025-10-13
CVE-2025-62390 [MEDIUM] CWE-89 CVE-2025-62390: SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attac SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
nvd
CVE-2025-62389P3MEDIUMCVSS 6.5fixed in 2024v20242025-10-13
CVE-2025-62389 [MEDIUM] CWE-89 CVE-2025-62389: SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attac SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
nvd
CVE-2025-62387P3MEDIUMCVSS 6.5fixed in 2024v20242025-10-13
CVE-2025-62387 [MEDIUM] CWE-89 CVE-2025-62387: SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attac SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
nvd
CVE-2024-13163P3HIGHCVSS 7.8fixed in 2022v2022+1 more2025-01-14
CVE-2024-13163 [HIGH] CWE-502 CVE-2024-13163: Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 202 Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
nvd
CVE-2025-10573P3MEDIUMCVSS 6.1fixed in 2024v20242025-12-09
CVE-2025-10573 [MEDIUM] CWE-79 CVE-2025-10573: Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
nvd
CVE-2024-32839P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-13
CVE-2024-32839 [HIGH] CWE-89 CVE-2024-32839: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-32841P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-13
CVE-2024-32841 [HIGH] CWE-89 CVE-2024-32841: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-32847P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-13
CVE-2024-32847 [HIGH] CWE-89 CVE-2024-32847: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-37376P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-13
CVE-2024-37376 [HIGH] CWE-89 CVE-2024-37376: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2024-37381P3HIGHCVSS 8.0v20242024-07-29
CVE-2024-37381 [HIGH] CWE-89 CVE-2024-37381: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenti An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code.
nvd
CVE-2025-11623P3MEDIUMCVSS 6.5fixed in 2024v20242025-10-13
CVE-2025-11623 [MEDIUM] CWE-89 CVE-2025-11623: SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attac SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
nvd
Ivanti Endpoint Manager vulnerabilities | cvebase