Ivanti EPM: Security flaws allow SQL injection, privilege escalation

Ivanti warns of security vulnerabilities in Endpoint Manager, a management software for users and devices in the network. In total, there are three security flaws – one narrowly misses the classification as "critical".

In a security advisory, Ivanti discusses the security flaws. An SQL injection vulnerability affects the web console of Ivanti Endpoint Manager. Authenticated attackers can use this to inject and execute malicious code from the network (CVE-2026-8111, CVSS 8.8, Risk "high"). Incorrect privilege assignment in the Endpoint Manager agent also allows for privilege escalation within the system by locally logged-in malicious actors (CVE-2026-8110, CVSS 7.8, Risk "high").

In the Endpoint Manager core server, logged-in attackers from the network can steal credentials because it has an "exposed dangerous method" (CWE-749) – access to it is not sufficiently restricted according to the definition (CVE-2026-8109, CVSS 6.5, Risk "medium"). The associated ZDI advisory points out a lower CVSS score and simultaneously indicates that the existing authentication mechanism can be bypassed.

Corrected Software Version

Ivanti states that software version Ivanti EPM 2024 SU6 resolves the issues. The company also explains that it has no knowledge of the security flaws already being attacked. Therefore, it cannot provide any indicators of compromise (IOC). The vulnerabilities were reported by the Zero Day Initiative (ZDI) of Trend Micro (now operating under the TrendAI brand). Despite the similarity in name, the flaws are not found in Endpoint Manager Mobile (EPMM), Ivanti further explains.

IT managers should install the update quickly. Vulnerabilities in Ivanti network management software are a goldmine for cybercriminals. Last week, for example, it became known that Ivanti closed security vulnerabilities in EPMM with an update that were already being attacked on the internet.

(dmk)