CVE-2024-13162

Name of the Vulnerable Software and Affected Versions Ivanti EPM versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update

Description The issue is related to a lack of protection against SQL query structure exploitation, allowing a remote attacker with admin privileges to achieve remote code execution through SQL injection. This issue addresses incomplete fixes from previous security updates.

Recommendations For versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update, apply the respective security updates to resolve the issue. As a temporary workaround, consider restricting access to the updateAssetInfo function until a patch is available. Restrict access to the vulnerable SQL injection endpoint to minimize the risk of exploitation.