Critical Remote Code Execution Vulnerability in Ivanti’s Endpoint Management Software

January 4, 2024

Ivanti has issued a warning and fix for a critical remote code execution (RCE) vulnerability found in its Endpoint Management software (EPM). The vulnerability, identified as CVE-2023-39366, could have allowed unauthenticated attackers to gain control over devices enrolled in the EPM or the core server itself.

EPM is utilized by Ivanti to manage client devices operating on a multitude of platforms, including Windows, macOS, Chrome OS, and various IoT operating systems. The security flaw in question affects all supported versions of Ivanti EPM and has been addressed in the 2022 Service Update 5.

The vulnerability could be exploited by attackers who have access to a target's internal network. This could be done via low-complexity attacks that do not necessitate privileges or user interaction. Ivanti states, "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server."

Currently, Ivanti has not found any evidence of customers being impacted by this vulnerability. The company has restricted public access to a detailed advisory on CVE-2023-39366, likely to give customers additional time to secure their devices before threat actors can devise exploits using the extra information.

Previously, in July, state-affiliated hackers exploited two zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to gain access to the networks of several Norwegian government organizations. The Cybersecurity and Infrastructure Security Agency (CISA) warned, "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability."

Another zero-day vulnerability (CVE-2023-38035) in Ivanti's Sentry software was exploited a month later. Ivanti also patched numerous critical security vulnerabilities in its Avalanche enterprise mobile device management solution in December and August. Ivanti's products are employed by over 40,000 companies globally to manage their IT assets and systems.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.