A critical severity SQL injection vulnerability has been discovered in the Ivanti Endpoint Manager. Tracked as CVE-2023-39336, the vulnerability has been given a critical severity rating with a CVSS score of 9.6. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary SQL queries and retrieve output without needing authentication.
Ivanti Endpoint Manager is an all-in-one endpoint management software. It’s a one-stop solution to manage user profiles and all client devices that support Windows, macOS, Linux, Chrome OS, and IoT.
An attacker must have access to the internal network to exploit the vulnerability. A low-complexity attack can exploit the vulnerability without privileges or user interaction. Successful exploitation of the vulnerability may lead to an attacker taking control over machines running the EPM agent. The vulnerability can be exploited in all instances of MSSQL. Additionally, when the core server is configured to use Microsoft SQL Express, the exploitation might lead to remote code execution on the core server.
The vulnerability affects Ivanti EPM 2021 and EPM 2022 before SU5.
To patch the vulnerability, customers must upgrade to Ivanti Endpoint Manager (EPM) 2022 SU5 or above.
For more information, please refer to Ivanti Security Advisory.
Qualys customers can scan their devices with QID 379224 to detect vulnerable assets. The QID checks for the vulnerable version of Ivanti EPM by fetching the version from the registry.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.