Endpoint Manager Mobile
by Ivanti
CVEs (106)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-62390 | 0.00 | — | 0.02 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-62392 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-11623 | 0.00 | — | 0.01 | Oct 13, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-9713 | 0.00 | — | 0.14 | Oct 13, 2025 | Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | |||
| CVE-2025-11622 | 0.00 | — | 0.01 | Oct 13, 2025 | Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2025-9872 | 0.00 | — | 0.13 | Sep 9, 2025 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | |||
| CVE-2025-9712 | 0.00 | — | 0.20 | Sep 9, 2025 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | |||
| CVE-2025-7037 | 0.00 | — | 0.01 | Jul 8, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database | |||
| CVE-2025-6996 | 0.00 | — | 0.00 | Jul 8, 2025 | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords. | |||
| CVE-2025-6995 | 0.00 | — | 0.00 | Jul 8, 2025 | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords. | |||
| CVE-2025-22466 | 0.00 | — | 0.01 | Apr 8, 2025 | Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | |||
| CVE-2025-22465 | 0.00 | — | 0.01 | Apr 8, 2025 | Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required. | |||
| CVE-2025-22464 | 0.00 | — | 0.00 | Apr 8, 2025 | An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition. | |||
| CVE-2025-22461 | 0.00 | — | 0.01 | Apr 8, 2025 | SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. | |||
| CVE-2025-22459 | 0.00 | — | 0.00 | Apr 8, 2025 | Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers. | |||
| CVE-2025-22458 | 0.00 | — | 0.00 | Apr 8, 2025 | DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. | |||
| CVE-2024-13164 | 0.00 | — | 0.00 | Jan 14, 2025 | An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-13165 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13166 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13167 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. |
- CVE-2025-62390Oct 13, 2025risk 0.00cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-62392Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-11623Oct 13, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-9713Oct 13, 2025risk 0.00cvss —epss 0.14
Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2025-11622Oct 13, 2025risk 0.00cvss —epss 0.01
Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges.
- CVE-2025-9872Sep 9, 2025risk 0.00cvss —epss 0.13
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2025-9712Sep 9, 2025risk 0.00cvss —epss 0.20
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2025-7037Jul 8, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database
- CVE-2025-6996Jul 8, 2025risk 0.00cvss —epss 0.00
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.
- CVE-2025-6995Jul 8, 2025risk 0.00cvss —epss 0.00
Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.
- CVE-2025-22466Apr 8, 2025risk 0.00cvss —epss 0.01
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
- CVE-2025-22465Apr 8, 2025risk 0.00cvss —epss 0.01
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.
- CVE-2025-22464Apr 8, 2025risk 0.00cvss —epss 0.00
An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.
- CVE-2025-22461Apr 8, 2025risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.
- CVE-2025-22459Apr 8, 2025risk 0.00cvss —epss 0.00
Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers.
- CVE-2025-22458Apr 8, 2025risk 0.00cvss —epss 0.00
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.
- CVE-2024-13164Jan 14, 2025risk 0.00cvss —epss 0.00
An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
- CVE-2024-13165Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13166Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13167Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Page 4 of 6