The vulnerability is a classic SQL injection in the data access layer of Ivanti Endpoint Manager. An authenticated user who can log into the console can exploit a flaw in the input validation of a query parameter, enabling them to inject arbitrary SQL and read any table in the underlying database. This results in non‑destructive data exposure; attackers cannot modify data, but can compromise confidentiality of sensitive configuration, user credentials, or internal network information. The weakness is categorized as CWE-89.

Affected versions include Ivanti Endpoint Manager 2024 prior to the SU5 release. All service‑update branches up to SU4, including SU1, SU2, SU3, and SU3 security release 1, SU4, SU4 sr1, and the generic 2024 release, are impacted. The impact applies to any deployment where the console runs on a machine that exposes a database and an authenticated session. All instances that have the vulnerable component and allow a user to submit the affected input are at risk.

The issue is scored CVSS 6.5, indicating moderate severity. EPSS is less than 1%, suggesting a low likelihood of exploitation at this time. The vulnerability appears in the KEV catalog only as not listed, so no widespread exploitation is documented. The realistic attack surface requires an insider or compromised user account with at least read privileges. Considering the need for authentication, the risk to an organization hinges on password hygiene and segregation of duties. If an attacker gains the necessary credentials, they can read arbitrary data, but not execute code or modify data. The combination of moderate CVSS and very low EPSS puts the overall risk at moderate but with limited active exploitation pressure.