Vendor CVEs
Ivanti
All CVEs
446 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-39711 | 0.01 | — | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-38656 | 0.01 | — | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32844 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34787 | 0.01 | — | 0.18 | Nov 13, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. | |||
| CVE-2024-32847 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32841 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34782 | 0.01 | — | 0.02 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-39710 | 0.01 | — | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37376 | 0.01 | — | 0.03 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-9420 | 0.01 | — | 0.01 | Nov 12, 2024 | A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution | |||
| CVE-2024-50327 | 0.01 | — | 0.01 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50322 | 0.01 | — | 0.06 | Nov 12, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. | |||
| CVE-2024-50321 | 0.01 | — | 0.01 | Nov 12, 2024 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-50319 | 0.01 | — | 0.01 | Nov 12, 2024 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-50318 | 0.01 | — | 0.01 | Nov 12, 2024 | A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-50317 | 0.01 | — | 0.01 | Nov 12, 2024 | A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-37397 | 0.01 | — | 0.59 | Sep 12, 2024 | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | |||
| CVE-2024-32843 | 0.01 | — | 0.02 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32846 | 0.01 | — | 0.02 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32842 | 0.01 | — | 0.02 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-38652 | 0.01 | — | 0.08 | Aug 14, 2024 | Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion. | |||
| CVE-2024-36136 | 0.01 | — | 0.02 | Aug 14, 2024 | An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. | |||
| CVE-2024-7569 | 0.01 | — | 0.02 | Aug 13, 2024 | An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information. | |||
| CVE-2024-34788 | 0.01 | — | 0.01 | Aug 7, 2024 | An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information | |||
| CVE-2024-25000 | 0.01 | — | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-24999 | 0.01 | — | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-24997 | 0.01 | — | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-27976 | 0.01 | — | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-29204 | 0.01 | — | 0.04 | Apr 19, 2024 | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | |||
| CVE-2024-21894 | 0.01 | — | 0.19 | Apr 4, 2024 | A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may… | |||
| CVE-2024-22053 | 0.01 | — | 0.04 | Apr 4, 2024 | A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read… | |||
| CVE-2023-46808 | 0.01 | — | 0.02 | Mar 31, 2024 | An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user. | |||
| CVE-2023-28323 | 0.01 | — | 0.03 | Jun 30, 2023 | A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine… | |||
| CVE-2022-36980 | 0.01 | — | 0.83 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | |||
| CVE-2022-36977 | 0.01 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | |||
| CVE-2022-35254 | 0.01 | — | 0.03 | Dec 5, 2022 | An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust… | |||
| CVE-2022-27773 | 0.01 | — | 0.03 | Dec 5, 2022 | A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges. | |||
| CVE-2022-35258 | 0.01 | — | 0.03 | Dec 5, 2022 | An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust… | |||
| CVE-2022-21828 | 0.01 | — | 0.04 | Mar 4, 2022 | A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and… | |||
| CVE-2021-42133 | 0.01 | — | 0.03 | Dec 7, 2021 | An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write. | |||
| CVE-2021-42128 | 0.01 | — | 0.04 | Dec 7, 2021 | An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service. | |||
| CVE-2020-12441 | 0.01 | — | 0.04 | Aug 6, 2020 | Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet. | |||
| CVE-2019-12377 | 0.01 | — | 0.06 | Jun 3, 2019 | A vulnerable upl/async_upload.asp web API endpoint in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution. | |||
| CVE-2008-2468 | 0.01 | — | 0.10 | Sep 18, 2008 | Multiple buffer overflows in the QIP Server Service (aka qipsrvr.exe) in LANDesk Management Suite, Security Suite, and Server Manager 8.8 and earlier allow remote attackers to execute arbitrary code via a crafted heal request, related to the StringToMap and StringSize arguments. | |||
| CVE-2026-1602 | 0.00 | — | 0.01 | Feb 10, 2026 | SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database. | |||
| CVE-2025-13662 | 0.00 | — | 0.00 | Dec 9, 2025 | Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required. | |||
| CVE-2025-13661 | 0.00 | — | 0.01 | Dec 9, 2025 | Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required. | |||
| CVE-2025-13659 | 0.00 | — | 0.02 | Dec 9, 2025 | Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required. | |||
| CVE-2025-10573 | 0.00 | — | 0.29 | Dec 9, 2025 | Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required. | |||
| CVE-2025-10918 | 0.00 | — | 0.00 | Nov 11, 2025 | Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk |
- CVE-2024-39711Nov 13, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-38656Nov 13, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32844Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34787Nov 13, 2024risk 0.01cvss —epss 0.18
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2024-32847Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32841Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34782Nov 13, 2024risk 0.01cvss —epss 0.02
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-39710Nov 13, 2024risk 0.01cvss —epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37376Nov 13, 2024risk 0.01cvss —epss 0.03
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-9420Nov 12, 2024risk 0.01cvss —epss 0.01
A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution
- CVE-2024-50327Nov 12, 2024risk 0.01cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50322Nov 12, 2024risk 0.01cvss —epss 0.06
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2024-50321Nov 12, 2024risk 0.01cvss —epss 0.01
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-50319Nov 12, 2024risk 0.01cvss —epss 0.01
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-50318Nov 12, 2024risk 0.01cvss —epss 0.01
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-50317Nov 12, 2024risk 0.01cvss —epss 0.01
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-37397Sep 12, 2024risk 0.01cvss —epss 0.59
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
- CVE-2024-32843Sep 12, 2024risk 0.01cvss —epss 0.02
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32846Sep 12, 2024risk 0.01cvss —epss 0.02
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32842Sep 12, 2024risk 0.01cvss —epss 0.02
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-38652Aug 14, 2024risk 0.01cvss —epss 0.08
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
- CVE-2024-36136Aug 14, 2024risk 0.01cvss —epss 0.02
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- CVE-2024-7569Aug 13, 2024risk 0.01cvss —epss 0.02
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
- CVE-2024-34788Aug 7, 2024risk 0.01cvss —epss 0.01
An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information
- CVE-2024-25000Apr 19, 2024risk 0.01cvss —epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-24999Apr 19, 2024risk 0.01cvss —epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-24997Apr 19, 2024risk 0.01cvss —epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-27976Apr 19, 2024risk 0.01cvss —epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-29204Apr 19, 2024risk 0.01cvss —epss 0.04
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
- CVE-2024-21894Apr 4, 2024risk 0.01cvss —epss 0.19
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may…
- CVE-2024-22053Apr 4, 2024risk 0.01cvss —epss 0.04
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read…
- CVE-2023-46808Mar 31, 2024risk 0.01cvss —epss 0.02
An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.
- CVE-2023-28323Jun 30, 2023risk 0.01cvss —epss 0.03
A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine…
- CVE-2022-36980Mar 29, 2023risk 0.01cvss —epss 0.83
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- CVE-2022-36977Mar 29, 2023risk 0.01cvss —epss 0.07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- CVE-2022-35254Dec 5, 2022risk 0.01cvss —epss 0.03
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…
- CVE-2022-27773Dec 5, 2022risk 0.01cvss —epss 0.03
A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.
- CVE-2022-35258Dec 5, 2022risk 0.01cvss —epss 0.03
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…
- CVE-2022-21828Mar 4, 2022risk 0.01cvss —epss 0.04
A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and…
- CVE-2021-42133Dec 7, 2021risk 0.01cvss —epss 0.03
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.
- CVE-2021-42128Dec 7, 2021risk 0.01cvss —epss 0.04
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.
- CVE-2020-12441Aug 6, 2020risk 0.01cvss —epss 0.04
Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.
- CVE-2019-12377Jun 3, 2019risk 0.01cvss —epss 0.06
A vulnerable upl/async_upload.asp web API endpoint in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution.
- CVE-2008-2468Sep 18, 2008risk 0.01cvss —epss 0.10
Multiple buffer overflows in the QIP Server Service (aka qipsrvr.exe) in LANDesk Management Suite, Security Suite, and Server Manager 8.8 and earlier allow remote attackers to execute arbitrary code via a crafted heal request, related to the StringToMap and StringSize arguments.
- CVE-2026-1602Feb 10, 2026risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
- CVE-2025-13662Dec 9, 2025risk 0.00cvss —epss 0.00
Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.
- CVE-2025-13661Dec 9, 2025risk 0.00cvss —epss 0.01
Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.
- CVE-2025-13659Dec 9, 2025risk 0.00cvss —epss 0.02
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.
- CVE-2025-10573Dec 9, 2025risk 0.00cvss —epss 0.29
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
- CVE-2025-10918Nov 11, 2025risk 0.00cvss —epss 0.00
Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk
Page 4 of 9