Vendor CVEs
Ivanti
All CVEs
446 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13180 | 0.03 | — | 0.28 | Jan 14, 2025 | Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011. | |||
| CVE-2025-0283 | 0.03 | — | 0.17 | Jan 8, 2025 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-47008 | 0.03 | — | 0.47 | Oct 8, 2024 | Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information. | |||
| CVE-2024-32840 | 0.03 | — | 0.25 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34779 | 0.03 | — | 0.24 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34785 | 0.03 | — | 0.25 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32845 | 0.03 | — | 0.24 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-8191 | 0.03 | — | 0.20 | Sep 10, 2024 | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2024-24996 | 0.03 | — | 0.32 | Apr 19, 2024 | A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | |||
| CVE-2023-46262 | 0.03 | — | 0.83 | Dec 19, 2023 | An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server. | |||
| CVE-2022-36983 | 0.03 | — | 0.05 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of… | |||
| CVE-2010-2892 | 0.03 | — | 0.04 | Nov 15, 2010 | gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and 4.2 through 4.2-1.8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the DRIVES parameter, as demonstrated by a cross-site request forgery (CSRF) attack. | |||
| CVE-2008-6195 | 0.03 | — | 0.03 | Feb 20, 2009 | Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.80.1.1 and earlier allows remote attackers to read arbitrary files via a subdirectory name followed by ".." sequences, a different vulnerability than CVE-2008-1643. | |||
| CVE-2025-6771 | 0.02 | — | 0.15 | Jul 8, 2025 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution | |||
| CVE-2025-22467 | 0.02 | — | 0.04 | Feb 11, 2025 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution. | |||
| CVE-2024-13158 | 0.02 | — | 0.03 | Jan 14, 2025 | An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-11005 | 0.02 | — | 0.02 | Nov 12, 2024 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-11006 | 0.02 | — | 0.02 | Nov 12, 2024 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-11007 | 0.02 | — | 0.02 | Nov 12, 2024 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50329 | 0.02 | — | 0.02 | Nov 12, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. | |||
| CVE-2024-50328 | 0.02 | — | 0.02 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-29848 | 0.02 | — | 0.64 | May 31, 2024 | An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-23532 | 0.02 | — | 0.02 | Apr 19, 2024 | An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution. | |||
| CVE-2021-22962 | 0.02 | — | 0.91 | Dec 19, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | |||
| CVE-2022-36976 | 0.02 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | |||
| CVE-2022-36972 | 0.02 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | |||
| CVE-2022-36973 | 0.02 | — | 0.06 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | |||
| CVE-2022-36975 | 0.02 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | |||
| CVE-2022-36979 | 0.02 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | |||
| CVE-2022-44574 | 0.02 | — | 0.65 | Mar 10, 2023 | An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port. | |||
| CVE-2022-22572 | 0.02 | — | 0.02 | Apr 11, 2022 | A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. The vulnerability affects Incapptic Connect version < 1.40.1. | |||
| CVE-2021-42131 | 0.02 | — | 0.67 | Dec 7, 2021 | A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | |||
| CVE-2019-10651 | 0.02 | — | 0.04 | Jul 11, 2019 | An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update. | |||
| CVE-2025-10985 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-10243 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-10242 | 0.01 | — | 0.21 | Oct 14, 2025 | OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2025-8297 | 0.01 | — | 0.01 | Aug 12, 2025 | Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution | |||
| CVE-2025-8296 | 0.01 | — | 0.01 | Aug 12, 2025 | SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution | |||
| CVE-2025-6770 | 0.01 | — | 0.12 | Jul 8, 2025 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution | |||
| CVE-2025-22462 | 0.01 | — | 0.02 | May 13, 2025 | An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system. | |||
| CVE-2024-37401 | 0.01 | — | 0.01 | Dec 11, 2024 | An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-11772 | 0.01 | — | 0.08 | Dec 10, 2024 | Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-11639 | 0.01 | — | 0.05 | Dec 10, 2024 | An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access | |||
| CVE-2024-11634 | 0.01 | — | 0.02 | Dec 10, 2024 | Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx) | |||
| CVE-2024-11633 | 0.01 | — | 0.02 | Dec 10, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution | |||
| CVE-2024-38655 | 0.01 | — | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34784 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34780 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-39712 | 0.01 | — | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32839 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
- CVE-2024-13180Jan 14, 2025risk 0.03cvss —epss 0.28
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
- CVE-2025-0283Jan 8, 2025risk 0.03cvss —epss 0.17
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
- CVE-2024-47008Oct 8, 2024risk 0.03cvss —epss 0.47
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
- CVE-2024-32840Sep 12, 2024risk 0.03cvss —epss 0.25
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34779Sep 12, 2024risk 0.03cvss —epss 0.24
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34785Sep 12, 2024risk 0.03cvss —epss 0.25
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32845Sep 12, 2024risk 0.03cvss —epss 0.24
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-8191Sep 10, 2024risk 0.03cvss —epss 0.20
SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
- CVE-2024-24996Apr 19, 2024risk 0.03cvss —epss 0.32
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
- CVE-2023-46262Dec 19, 2023risk 0.03cvss —epss 0.83
An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.
- CVE-2022-36983Mar 29, 2023risk 0.03cvss —epss 0.05
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of…
- CVE-2010-2892Nov 15, 2010risk 0.03cvss —epss 0.04
gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and 4.2 through 4.2-1.8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the DRIVES parameter, as demonstrated by a cross-site request forgery (CSRF) attack.
- CVE-2008-6195Feb 20, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.80.1.1 and earlier allows remote attackers to read arbitrary files via a subdirectory name followed by ".." sequences, a different vulnerability than CVE-2008-1643.
- CVE-2025-6771Jul 8, 2025risk 0.02cvss —epss 0.15
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
- CVE-2025-22467Feb 11, 2025risk 0.02cvss —epss 0.04
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
- CVE-2024-13158Jan 14, 2025risk 0.02cvss —epss 0.03
An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-11005Nov 12, 2024risk 0.02cvss —epss 0.02
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-11006Nov 12, 2024risk 0.02cvss —epss 0.02
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-11007Nov 12, 2024risk 0.02cvss —epss 0.02
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50329Nov 12, 2024risk 0.02cvss —epss 0.02
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
- CVE-2024-50328Nov 12, 2024risk 0.02cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-29848May 31, 2024risk 0.02cvss —epss 0.64
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
- CVE-2024-23532Apr 19, 2024risk 0.02cvss —epss 0.02
An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution.
- CVE-2021-22962Dec 19, 2023risk 0.02cvss —epss 0.91
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
- CVE-2022-36976Mar 29, 2023risk 0.02cvss —epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- CVE-2022-36972Mar 29, 2023risk 0.02cvss —epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- CVE-2022-36973Mar 29, 2023risk 0.02cvss —epss 0.06
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- CVE-2022-36975Mar 29, 2023risk 0.02cvss —epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- CVE-2022-36979Mar 29, 2023risk 0.02cvss —epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- CVE-2022-44574Mar 10, 2023risk 0.02cvss —epss 0.65
An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
- CVE-2022-22572Apr 11, 2022risk 0.02cvss —epss 0.02
A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. The vulnerability affects Incapptic Connect version < 1.40.1.
- CVE-2021-42131Dec 7, 2021risk 0.02cvss —epss 0.67
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- CVE-2019-10651Jul 11, 2019risk 0.02cvss —epss 0.04
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
- CVE-2025-10985Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-10243Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-10242Oct 14, 2025risk 0.01cvss —epss 0.21
OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2025-8297Aug 12, 2025risk 0.01cvss —epss 0.01
Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2025-8296Aug 12, 2025risk 0.01cvss —epss 0.01
SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution
- CVE-2025-6770Jul 8, 2025risk 0.01cvss —epss 0.12
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
- CVE-2025-22462May 13, 2025risk 0.01cvss —epss 0.02
An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
- CVE-2024-37401Dec 11, 2024risk 0.01cvss —epss 0.01
An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-11772Dec 10, 2024risk 0.01cvss —epss 0.08
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-11639Dec 10, 2024risk 0.01cvss —epss 0.05
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
- CVE-2024-11634Dec 10, 2024risk 0.01cvss —epss 0.02
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
- CVE-2024-11633Dec 10, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-38655Nov 13, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34784Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34780Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-39712Nov 13, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32839Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Page 3 of 9