Ivanti, a leader in IT systems and asset management solutions, has released a crucial security update to address a critical vulnerability in its EndPoint Manager (EPM) solution. The vulnerability, identified as CVE-2023-39336 with a CVSS score of 9.6, had the potential to allow remote code execution (RCE) on vulnerable servers.
Exploitation of this vulnerability could be carried out by an attacker with access to the internal network, taking advantage of an unspecified SQL injection to execute arbitrary SQL queries and retrieve the output without requiring authentication. This would not open the door for the attacker to take control of the machines running the EPM agent, and in situations where the core server is configured to use SQL Express, it could even lead to RCE on the core server.
The vulnerability affects versions EPM 2021 and EPM 2022 before the service update (SU5), highlighting the importance of users applying the latest security updates.
This is not the first time Ivanti has faced security challenges, as vulnerabilities were previously revealed in EndPoint Manager Mobile (EPMM) and the Ivanti Sentry product (formerly MobileIron Sentry). In both cases, the company responded quickly by releasing urgent security patches.
In the most recent case, the company has highlighted that it has no evidence that its customers have been affected by exploitations of this vulnerability, and has currently restricted public access to specific details of it. This could not provide new users with more time to protect their devices before threat actors can create exploits using additional information.
Ivanti urges all EPM users to apply the latest 2022 service update, version 5, to mitigate the risks associated with this critical vulnerability. The company’s rapid response demonstrates its commitment to the security of its products used by more than 40,000 companies worldwide to manage IT assets and systems.
