Endpoint Manager Mobile
by Ivanti
CVEs (106)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13162 | 0.05 | — | 0.64 | Jan 14, 2025 | SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. | |||
| CVE-2024-13163 | 0.03 | — | 0.09 | Jan 14, 2025 | Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | |||
| CVE-2024-13171 | 0.03 | — | 0.18 | Jan 14, 2025 | Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | |||
| CVE-2024-8191 | 0.03 | — | 0.20 | Sep 10, 2024 | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2025-6771 | 0.02 | — | 0.15 | Jul 8, 2025 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution | |||
| CVE-2024-13158 | 0.02 | — | 0.03 | Jan 14, 2025 | An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50329 | 0.02 | — | 0.02 | Nov 12, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | |||
| CVE-2024-50328 | 0.02 | — | 0.02 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2019-10651 | 0.02 | — | 0.04 | Jul 11, 2019 | An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update. | |||
| CVE-2025-10985 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-10243 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-10242 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-6770 | 0.01 | — | 0.12 | Jul 8, 2025 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution | |||
| CVE-2024-34784 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34780 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32839 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32844 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34787 | 0.01 | — | 0.18 | Nov 13, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. | |||
| CVE-2024-32847 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32841 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
- CVE-2024-13162Jan 14, 2025risk 0.05cvss —epss 0.64
SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.
- CVE-2024-13163Jan 14, 2025risk 0.03cvss —epss 0.09
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
- CVE-2024-13171Jan 14, 2025risk 0.03cvss —epss 0.18
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
- CVE-2024-8191Sep 10, 2024risk 0.03cvss —epss 0.20
SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
- CVE-2025-6771Jul 8, 2025risk 0.02cvss —epss 0.15
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
- CVE-2024-13158Jan 14, 2025risk 0.02cvss —epss 0.03
An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50329Nov 12, 2024risk 0.02cvss —epss 0.02
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2024-50328Nov 12, 2024risk 0.02cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2019-10651Jul 11, 2019risk 0.02cvss —epss 0.04
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
- CVE-2025-10985Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-10243Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-10242Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-6770Jul 8, 2025risk 0.01cvss —epss 0.12
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
- CVE-2024-34784Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34780Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32839Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32844Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34787Nov 13, 2024risk 0.01cvss —epss 0.18
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2024-32847Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32841Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Page 2 of 6