Endpoint Manager Mobile
by Ivanti
CVEs (106)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32841 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37376 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50327 | 0.01 | — | 0.01 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50322 | 0.01 | — | 0.06 | Nov 12, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. | |||
| CVE-2023-28323 | 0.01 | — | 0.03 | Jun 30, 2023 | A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine… | |||
| CVE-2026-1602 | 0.00 | — | 0.01 | Feb 10, 2026 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-13662 | 0.00 | — | 0.00 | Dec 9, 2025 | Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required. | |||
| CVE-2025-13661 | 0.00 | — | 0.01 | Dec 9, 2025 | Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required. | |||
| CVE-2025-13659 | 0.00 | — | 0.02 | Dec 9, 2025 | Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required. | |||
| CVE-2025-10573 | 0.00 | — | 0.29 | Dec 9, 2025 | Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required. | |||
| CVE-2025-10918 | 0.00 | — | 0.00 | Nov 11, 2025 | Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk | |||
| CVE-2025-10986 | 0.00 | — | 0.01 | Oct 14, 2025 | Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk. | |||
| CVE-2025-62384 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62386 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62383 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62391 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62385 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62387 | 0.00 | — | 0.02 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62388 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62389 | 0.00 | — | 0.02 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. |
- CVE-2024-32841Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37376Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50327Nov 12, 2024risk 0.01cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50322Nov 12, 2024risk 0.01cvss —epss 0.06
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2023-28323Jun 30, 2023risk 0.01cvss —epss 0.03
A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine…
- CVE-2026-1602Feb 10, 2026risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-13662Dec 9, 2025risk 0.00cvss —epss 0.00
Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.
- CVE-2025-13661Dec 9, 2025risk 0.00cvss —epss 0.01
Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.
- CVE-2025-13659Dec 9, 2025risk 0.00cvss —epss 0.02
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.
- CVE-2025-10573Dec 9, 2025risk 0.00cvss —epss 0.29
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
- CVE-2025-10918Nov 11, 2025risk 0.00cvss —epss 0.00
Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk
- CVE-2025-10986Oct 14, 2025risk 0.00cvss —epss 0.01
Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk.
- CVE-2025-62384Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62386Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62383Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62391Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62385Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62387Oct 13, 2025risk 0.00cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62388Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62389Oct 13, 2025risk 0.00cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
Page 3 of 6