CVE-2024-32842

Name of the Vulnerable Software and Affected Versions Ivanti EPM versions before 2022 SU6 Ivanti EPM versions before the 2024 September update

Description The issue is related to an unspecified SQL injection in Ivanti EPM, which allows a remote authenticated attacker with admin privileges to achieve remote code execution. This is due to the lack of protection of the SQL query structure. The exploitation of this issue can allow an attacker to execute arbitrary code by injecting specially crafted SQL code.

Recommendations For Ivanti EPM versions before 2022 SU6, update to version 2022 SU6 or later to resolve the issue. For Ivanti EPM versions before the 2024 September update, apply the 2024 September update or later to resolve the issue. As a temporary workaround, consider restricting access to the GetVulnerabilitiesDataTable function until a patch is available.