VYPR

Vendor CVEs

Ivanti

All CVEs

446 total · sorted by risk
  • CVE-2025-10986Oct 14, 2025
    risk 0.00cvss epss 0.01

    Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk.

  • CVE-2025-62384Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62386Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62383Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62391Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62385Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62387Oct 13, 2025
    risk 0.00cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62388Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62389Oct 13, 2025
    risk 0.00cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62390Oct 13, 2025
    risk 0.00cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-62392Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-11623Oct 13, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-9713Oct 13, 2025
    risk 0.00cvss epss 0.14

    Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

  • CVE-2025-11622Oct 13, 2025
    risk 0.00cvss epss 0.01

    Insecure deserialization in Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to escalate their privileges.

  • CVE-2025-55144Sep 9, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with…

  • CVE-2025-55143Sep 9, 2025
    risk 0.00cvss epss 0.01

    Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to…

  • CVE-2025-55142Sep 9, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with…

  • CVE-2025-55141Sep 9, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with…

  • CVE-2025-55139Sep 9, 2025
    risk 0.00cvss epss 0.01

    SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to…

  • CVE-2025-55148Sep 9, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with…

  • CVE-2025-55147Sep 9, 2025
    risk 0.00cvss epss 0.01

    CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute sensitive…

  • CVE-2025-55146Sep 9, 2025
    risk 0.00cvss epss 0.01

    An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker…

  • CVE-2025-55145Sep 9, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to…

  • CVE-2025-8711Sep 9, 2025
    risk 0.00cvss epss 0.00

    CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute limited…

  • CVE-2025-8712Sep 9, 2025
    risk 0.00cvss epss 0.00

    Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with…

  • CVE-2025-9872Sep 9, 2025
    risk 0.00cvss epss 0.13

    Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

  • CVE-2025-9712Sep 9, 2025
    risk 0.00cvss epss 0.20

    Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

  • CVE-2025-5468Aug 12, 2025
    risk 0.00cvss epss 0.00

    Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local…

  • CVE-2025-5466Aug 12, 2025
    risk 0.00cvss epss 0.01

    XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to…

  • CVE-2025-5462Aug 12, 2025
    risk 0.00cvss epss 0.01

    A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated…

  • CVE-2025-5456Aug 12, 2025
    risk 0.00cvss epss 0.01

    A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated…

  • CVE-2025-8310Aug 12, 2025
    risk 0.00cvss epss 0.01

    Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password

  • CVE-2023-39339Jul 12, 2025
    risk 0.00cvss epss 0.01

    A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.

  • CVE-2023-38036Jul 12, 2025
    risk 0.00cvss epss 0.02

    A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.

  • CVE-2025-0292Jul 8, 2025
    risk 0.00cvss epss 0.01

    SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.

  • CVE-2025-0293Jul 8, 2025
    risk 0.00cvss epss 0.00

    CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.

  • CVE-2025-5464Jul 8, 2025
    risk 0.00cvss epss 0.00

    Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information.

  • CVE-2025-5463Jul 8, 2025
    risk 0.00cvss epss 0.00

    Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.

  • CVE-2025-5451Jul 8, 2025
    risk 0.00cvss epss 0.01

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service.

  • CVE-2025-5450Jul 8, 2025
    risk 0.00cvss epss 0.00

    Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.

  • CVE-2025-7037Jul 8, 2025
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database

  • CVE-2025-6996Jul 8, 2025
    risk 0.00cvss epss 0.00

    Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.

  • CVE-2025-6995Jul 8, 2025
    risk 0.00cvss epss 0.00

    Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.

  • CVE-2025-5353Jun 10, 2025
    risk 0.00cvss epss 0.00

    A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt stored SQL credentials.

  • CVE-2025-22463Jun 10, 2025
    risk 0.00cvss epss 0.00

    A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt the stored environment password.

  • CVE-2025-22455Jun 10, 2025
    risk 0.00cvss epss 0.00

    A hardcoded key in Ivanti Workspace Control before version 10.19.0.0 allows a local authenticated attacker to decrypt stored SQL credentials.

  • CVE-2025-22460May 13, 2025
    risk 0.00cvss epss 0.00

    Default credentials in Ivanti Cloud Services Application before version 5.0.5 allows a local authenticated attacker to escalate their privileges.

  • CVE-2025-22466Apr 8, 2025
    risk 0.00cvss epss 0.01

    Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

  • CVE-2025-22465Apr 8, 2025
    risk 0.00cvss epss 0.01

    Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required.

  • CVE-2025-22464Apr 8, 2025
    risk 0.00cvss epss 0.00

    An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.

Page 5 of 9