At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. We continue to invest significant resources to ensure that all our solutions continue to meet our own high standards. In the best interests of our customers, we are always investigating, assessing, monitoring, and validating the security posture of our solutions. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources.

As part of our ongoing strengthening of the security of our products, we have discovered a new vulnerability in Ivanti EPM. We are reporting this vulnerability as CVE-2023-39336. We have no indication that customers have been impacted by this vulnerability.

This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5.

If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.

Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a fix available now for all supported versions. More detailed information is available in this Security Advisory.

Our Support team is always available to help customers. Cases can be logged via the Success portal (login credentials required).

Ivanti would like to thank hir0ot for their assistance in identifying and reporting the issue in Ivanti EPM.

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.