Description
SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection in the web console of Ivanti Endpoint Manager allows a remote authenticated attacker to gain code execution privileges on the affected system. The flaw enables arbitrary SQL commands to be executed against the underlying database, which can be leveraged to read or modify data, inject malicious payloads, and ultimately run arbitrary code. This satisfies the definition of a true remote code execution vulnerability and is identified as CWE-89.

Affected Systems

The vulnerability affects Ivanti Endpoint Manager versions released before 2024 SU6. Any installation that has not been updated to 2024 SU6 or later is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The exploit requires victim authentication to the web console, so it is not publicly exploitable without credentials. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, because remote code execution is possible, the risk remains significant, especially if the web console is reachable from untrusted networks.

Generated by OpenCVE AI on May 12, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Endpoint Manager to version 2024 SU6 or later. The vendor has released a patch that eliminates the SQL injection flaw.
  • Restrict external access to the web console by placing it behind a firewall or VPN so that only trusted users can reach it.
  • Monitor authentication and database logs for anomalous activity, and review any unexpected code execution or database changes.

Generated by OpenCVE AI on May 12, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su5:*:*:*:*:*:*

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via SQL Injection in Ivanti Endpoint Manager Web Console
First Time appeared Ivanti
Ivanti endpoint Manager
Vendors & Products Ivanti
Ivanti endpoint Manager

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Endpoint Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-13T03:57:54.231Z

Reserved: 2026-05-07T16:20:44.212Z

Link: CVE-2026-8111

cve-icon Vulnrichment

Updated: 2026-05-12T19:00:31.810Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T15:16:18.923

Modified: 2026-05-12T19:17:48.713

Link: CVE-2026-8111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses