cbcvebase.

Ivanti Endpoint Manager vulnerabilities

116 known vulnerabilities affecting ivanti/endpoint_manager.

Total CVEs
116
CISA KEV
5
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH82MEDIUM24

Vulnerabilities

Page 5 of 6
CVE-2024-50322P3HIGHCVSS 7.8fixed in 2022v2022+1 more2024-11-12
CVE-2024-50322 [HIGH] CWE-22 CVE-2024-50322: Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
nvd
CVE-2024-13170P3HIGHCVSS 7.5fixed in 2022v2022+1 more2025-01-14
CVE-2024-13170 [HIGH] CWE-787 CVE-2024-13170: An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-13168P3HIGHCVSS 7.5fixed in 2022v2022+1 more2025-01-14
CVE-2024-13168 [HIGH] CWE-787 CVE-2024-13168: An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-13165P3HIGHCVSS 7.5fixed in 2022v2022+1 more2025-01-14
CVE-2024-13165 [HIGH] CWE-787 CVE-2024-13165: An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-13167P3HIGHCVSS 7.5fixed in 2022v2022+1 more2025-01-14
CVE-2024-13167 [HIGH] CWE-787 CVE-2024-13167: An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2024-13166P3HIGHCVSS 7.5fixed in 2022v2022+1 more2025-01-14
CVE-2024-13166 [HIGH] CWE-787 CVE-2024-13166: An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
nvd
CVE-2025-11622P3HIGHCVSS 7.8fixed in 2024v20242025-10-13
CVE-2025-11622 [HIGH] CWE-502 CVE-2025-11622: Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authentic Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges.
nvd
CVE-2023-38343P3HIGHCVSS 7.5fixed in 2022v20222023-09-21
CVE-2023-38343 [HIGH] CWE-611 CVE-2023-38343: An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.
nvd
CVE-2025-22461P3HIGHCVSS 7.2fixed in 2022v2022+1 more2025-04-08
CVE-2025-22461 [HIGH] CWE-89 CVE-2025-22461: SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.
nvd
CVE-2024-50327P3HIGHCVSS 7.2fixed in 2022v2022+1 more2024-11-12
CVE-2024-50327 [HIGH] CWE-89 CVE-2024-50327: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
nvd
CVE-2026-8109P3MEDIUMCVSS 6.5≤ 2022v20242026-05-12
CVE-2026-8109 [MEDIUM] CWE-749 CVE-2026-8109: An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 al An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.
nvd
CVE-2025-6995P3HIGHCVSS 8.4fixed in 2022v2022+1 more2025-07-08
CVE-2025-6995 [HIGH] CWE-257 CVE-2025-6995: Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.
nvd
CVE-2025-6996P3HIGHCVSS 8.4fixed in 2022v2022+1 more2025-07-08
CVE-2025-6996 [HIGH] CWE-257 CVE-2025-6996: Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.
nvd
CVE-2024-50323P3HIGHCVSS 7.8fixed in 2022v2022+1 more2024-11-12
CVE-2024-50323 [HIGH] CWE-89 CVE-2024-50323: SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November S SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
nvd
CVE-2024-13172P3HIGHCVSS 7.8fixed in 2022v2022+1 more2025-01-14
CVE-2024-13172 [HIGH] CWE-347 CVE-2024-13172: Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
nvd
CVE-2026-8110P3HIGHCVSS 7.8≤ 2022v20242026-05-12
CVE-2026-8110 [HIGH] CWE-732 CVE-2026-8110: Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 all Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
nvd
CVE-2020-13770P3HIGHCVSS 7.8≤ 2020.1.12020-11-12
CVE-2020-13770 [HIGH] CWE-276 CVE-2020-13770: Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’).
nvd
CVE-2024-13169P3HIGHCVSS 7.8fixed in 2022v2022+1 more2025-01-14
CVE-2024-13169 [HIGH] CWE-125 CVE-2024-13169: An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Januar An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
nvd
CVE-2025-22458P3HIGHCVSS 7.8fixed in 2022v2022+1 more2025-04-08
CVE-2025-22458 [HIGH] CWE-427 CVE-2025-22458: DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.
nvd
CVE-2023-38344P3MEDIUMCVSS 6.5fixed in 2022v20222023-09-21
CVE-2023-38344 [MEDIUM] CWE-200 CVE-2023-38344: An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a re
nvd
Ivanti Endpoint Manager vulnerabilities | cvebase