EPM
by Ivanti
CVEs (58)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13159 | Cri | 0.84 | 9.8 | 1.00 | KEV | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-13161 | Cri | 0.83 | 9.8 | 0.89 | KEV | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-13160 | Cri | 0.83 | 9.8 | 0.90 | KEV | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |
| CVE-2024-29824 | Hig | 0.80 | 8.8 | 1.00 | KEV | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | |
| CVE-2024-29847 | Cri | 0.68 | 9.8 | 0.53 | Sep 12, 2024 | Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | ||
| CVE-2024-29826 | Hig | 0.65 | 8.8 | 1.00 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29825 | Hig | 0.65 | 8.8 | 1.00 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29823 | Hig | 0.65 | 8.8 | 1.00 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-10811 | Cri | 0.64 | 9.8 | 0.03 | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||
| CVE-2023-28323 | Cri | 0.64 | 9.8 | 0.03 | Jul 1, 2023 | A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine… | ||
| CVE-2022-27773 | Cri | 0.64 | 9.8 | 0.03 | Dec 5, 2022 | A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges. | ||
| CVE-2024-29827 | Hig | 0.63 | 8.8 | 0.72 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29822 | Hig | 0.62 | 8.8 | 0.64 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2025-9712 | Hig | 0.59 | 8.8 | 0.20 | Sep 9, 2025 | Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | ||
| CVE-2024-37397 | Hig | 0.58 | 8.2 | 0.59 | Sep 12, 2024 | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | ||
| CVE-2024-29846 | Hig | 0.53 | 8.0 | 0.08 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29830 | Hig | 0.53 | 8.0 | 0.08 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29829 | Hig | 0.53 | 8.0 | 0.08 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-29828 | Hig | 0.53 | 8.0 | 0.08 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | ||
| CVE-2024-13171 | Hig | 0.52 | 7.8 | 0.18 | Jan 14, 2025 | Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. |
- risk 0.84cvss 9.8epss 1.00
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.83cvss 9.8epss 0.89
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.83cvss 9.8epss 0.90
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.80cvss 8.8epss 1.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.68cvss 9.8epss 0.53
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
- risk 0.65cvss 8.8epss 1.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.65cvss 8.8epss 1.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.65cvss 8.8epss 1.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.64cvss 9.8epss 0.03
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.64cvss 9.8epss 0.03
A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine…
- risk 0.64cvss 9.8epss 0.03
A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.
- risk 0.63cvss 8.8epss 0.72
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.62cvss 8.8epss 0.64
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- risk 0.59cvss 8.8epss 0.20
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- risk 0.58cvss 8.2epss 0.59
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
- risk 0.53cvss 8.0epss 0.08
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
- risk 0.53cvss 8.0epss 0.08
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
- risk 0.53cvss 8.0epss 0.08
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
- risk 0.53cvss 8.0epss 0.08
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
- risk 0.52cvss 7.8epss 0.18
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Page 1 of 3