VYPR

Vendor CVEs

Ivanti

All CVEs

446 total · sorted by risk
  • CVE-2024-7593CriKEVAug 13, 2024
    risk 0.86cvss 9.8epss 1.00

    Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

  • CVE-2026-1340CriKEVJan 29, 2026
    risk 0.84cvss 9.8epss 0.84

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  • CVE-2026-10520CriKEVJun 9, 2026
    risk 0.77cvss 10.0epss 0.99

    An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

  • CVE-2016-4787CriMay 26, 2016
    risk 0.65cvss 10.0epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.

  • CVE-2026-10523CriJun 9, 2026
    risk 0.64cvss 9.9epss 0.47

    An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access

  • CVE-2016-3147CriJan 23, 2017
    risk 0.64cvss 9.8epss 0.06

    Buffer overflow in the collector.exe listener of the Landesk Management Suite 10.0.0.271 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large packet.

  • CVE-2026-8043CriMay 12, 2026
    risk 0.62cvss 9.6epss 0.01

    External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

  • CVE-2026-6973HigKEVMay 7, 2026
    risk 0.59cvss 7.2epss 0.34

    An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

  • CVE-2026-5787HigMay 7, 2026
    risk 0.58cvss 8.9epss 0.01

    An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

  • CVE-2026-9614HigJun 1, 2026
    risk 0.57cvss 8.8epss 0.01

    An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

  • CVE-2026-8992HigMay 22, 2026
    risk 0.57cvss 8.8epss 0.01

    An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

  • CVE-2026-5786HigMay 7, 2026
    risk 0.57cvss 8.8epss 0.01

    An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

  • CVE-2017-11463HigDec 11, 2017
    risk 0.57cvss 8.8epss 0.02

    In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the…

  • CVE-2017-11455HigAug 29, 2017
    risk 0.57cvss 8.8epss 0.01

    diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to…

  • CVE-2016-4791HigMay 26, 2016
    risk 0.56cvss 8.6epss 0.02

    The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery (SSRF) attacks via…

  • CVE-2023-38551HigMay 31, 2024
    risk 0.53cvss 8.2epss 0.01

    A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

  • CVE-2026-8110HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

  • CVE-2026-7432HigMay 12, 2026
    risk 0.51cvss 7.8epss 0.00

    A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

  • CVE-2018-8901HigJun 29, 2018
    risk 0.51cvss 7.8epss 0.01

    An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This…

  • CVE-2024-29205HigApr 25, 2024
    risk 0.49cvss 7.5epss 0.02

    An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.

  • CVE-2018-6316HigFeb 15, 2018
    risk 0.49cvss 7.5epss 0.02

    Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti…

  • CVE-2016-4786HigMay 26, 2016
    risk 0.49cvss 7.5epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 before 8.0r11, and 7.4 before 7.4r13.4 allow remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

  • CVE-2026-7821HigMay 7, 2026
    risk 0.48cvss 7.4epss 0.01

    Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance…

  • CVE-2026-10727HigJun 9, 2026
    risk 0.47cvss 7.2epss 0.02

    An OS command injection vulnerability in Ivanti EPMM before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote authenticated attacker to execute arbitrary commands as root

  • CVE-2026-8051HigMay 12, 2026
    risk 0.47cvss 7.2epss 0.02

    OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2014-5362HigSep 19, 2017
    risk 0.47cvss 7.2epss 0.03

    The admin interface in Landesk Management Suite 9.6 and earlier allows remote attackers to conduct remote file inclusion attacks involving ASPX pages from third-party sites via the d parameter to (1) ldms/sm_actionfrm.asp or (2) remote/frm_coremainfrm.aspx; or the (3) top…

  • CVE-2026-5788HigMay 7, 2026
    risk 0.46cvss 7.0epss 0.01

    An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

  • CVE-2026-8109MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.01

    An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

  • CVE-2018-8902MedJun 29, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data,…

  • CVE-2016-4789MedMay 26, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or…

  • CVE-2025-43716MedApr 23, 2025
    risk 0.38cvss 5.8epss 0.01

    A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php to the URI of the /client/index.php endpoint, an attacker can bypass access controls and gain unauthorized access to various endpoints such as…

  • CVE-2016-4788MedMay 26, 2016
    risk 0.38cvss 5.8epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.

  • CVE-2016-4790MedMay 26, 2016
    risk 0.36cvss 5.5epss 0.01

    Cross-site scripting (XSS) vulnerability in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-4792MedMay 26, 2016
    risk 0.35cvss 5.3epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.

  • CVE-2026-7431MedMay 12, 2026
    risk 0.29cvss 4.4epss 0.00

    An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

  • CVE-2025-0282KEVJan 8, 2025
    risk 0.29cvss epss 1.00

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.

  • CVE-2024-21893KEVJan 31, 2024
    risk 0.29cvss epss 1.00

    A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

  • CVE-2024-21887KEVJan 12, 2024
    risk 0.29cvss epss 1.00

    A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

  • CVE-2023-46805KEVJan 12, 2024
    risk 0.29cvss epss 1.00

    An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

  • CVE-2023-38035KEVAug 21, 2023
    risk 0.29cvss epss 1.00

    A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

  • CVE-2021-44529KEVDec 8, 2021
    risk 0.29cvss epss 0.99

    A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

  • CVE-2025-22457KEVApr 3, 2025
    risk 0.26cvss epss 1.00

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

  • CVE-2023-35082KEVAug 15, 2023
    risk 0.26cvss epss 1.00

    An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

  • CVE-2023-35078KEVJul 25, 2023
    risk 0.26cvss epss 1.00

    An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

  • CVE-2024-29824KEVMay 31, 2024
    risk 0.23cvss epss 1.00

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2026-1281KEVJan 29, 2026
    risk 0.22cvss epss 0.81

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  • CVE-2025-4427KEVMay 13, 2025
    risk 0.22cvss epss 1.00

    An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

  • CVE-2024-13159KEVJan 14, 2025
    risk 0.20cvss epss 1.00

    Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

  • CVE-2024-13160KEVJan 14, 2025
    risk 0.20cvss epss 0.90

    Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

  • CVE-2024-8963KEVSep 19, 2024
    risk 0.20cvss epss 0.99

    Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Page 1 of 9