PT-2024-6312 · Ivanti · Ivanti Epm
Published
2024-06-05
·
Updated
2024-09-16
·
CVE-2024-34783
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ivanti EPM versions prior to 2022 SU6
Ivanti EPM versions prior to the 2024 September update
Description
The issue is related to an unspecified SQL injection in Ivanti EPM, which allows a remote authenticated attacker with admin privileges to achieve remote code execution. This is due to the lack of protection of the SQL query structure. The exploitation of this issue can enable an attacker to execute arbitrary code remotely.
Recommendations
For Ivanti EPM versions prior to 2022 SU6, update to version 2022 SU6 or later.
For Ivanti EPM versions prior to the 2024 September update, apply the 2024 September update or later.
As a temporary workaround, consider restricting access to the
LoadSlotsTable method to minimize the risk of exploitation.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ivanti Epm