Skip to content

Ivanti EPM: Security Vulnerabilities Enable SQL Injection and Privilege Escalation

Man,Interacting,With,A,Holographic,Touchscreen,Interface,In,Red,Color.
(Image: amgun/ Shutterstock.com)

Ivanti warns of three security vulnerabilities in Endpoint Manager (EPM). They enable SQL injection or privilege escalation.

Ivanti warns of security vulnerabilities in the Endpoint Manager, a management software for users and devices in the network. In total, there are three security flaws – one barely misses the classification as “critical”.

In a security advisory, Ivanti discusses [1] the security flaws. An SQL injection vulnerability affects the web console of Ivanti Endpoint Manager. Authenticated attackers can thereby inject and execute malicious code from the network (CVE-2026-8111, CVSS 8.8, risk “high“). Improper privilege assignment in the Endpoint Manager agent also enables privilege escalation in the system by locally logged-in malicious actors (CVE-2026-8110, CVSS 7.8, risk “high“).

In the Endpoint Manager’s core server, authenticated attackers from the network can extract credentials because it has an “exposed dangerous method” (CWE-749 [2]) – access to it is not sufficiently restricted by definition (CVE-2026-8109, CVSS 6.5, risk “medium“). The associated ZDI advisory [3] shows a lower CVSS value and also points out that the existing authentication mechanism can be bypassed.

Ivanti states that software version Ivanti EPM 2024 SU6 remedies the issues. The company also notes that it has no knowledge of the security flaws being exploited. Therefore, it cannot provide any indicators of compromise (IOC). The vulnerabilities were reported by the Zero Day Initiative (ZDI) of Trend Micro (now operating under the TrendAI brand). Despite the name similarity, the flaws are not found in Endpoint Manager Mobile (EPMM), Ivanti further states.

IT administrators should install the update promptly. Vulnerabilities in Ivanti network management software are a goldmine for cybercriminals. Last week, it became known that Ivanti released an update for EPMM that closed security vulnerabilities [4] that were already being exploited on the internet.

(dmk [6])


URL of this article:
https://www.heise.de/-11294605

Links in this article:

  1. https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026?language=en_US
  2. https://cwe.mitre.org/data/definitions/749.html
  3. https://www.zerodayinitiative.com/advisories/ZDI-26-308/
  4. https://www.heise.de/news/Ivanti-EPMM-Update-stopft-bereits-angegriffene-Sicherheitsluecken-11286825.html
  5. heise security PRO
  6. mailto:dmk@heise.de

heise security News

Share on: