CVSS: 8.3EPSS: 15%CPEs: 1EXPL: 4CVE-2025-4428 – Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-4428
13 May 2025 — Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as repr... • https://packetstorm.news/files/id/193081 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 80%CPEs: 1EXPL: 3CVE-2025-4427 – Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-4427
13 May 2025 — An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library. • https://packetstorm.news/files/id/193081 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22466
https://notcve.org/view.php?id=CVE-2025-22466
08 Apr 2025 — Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22465
https://notcve.org/view.php?id=CVE-2025-22465
08 Apr 2025 — Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22464
https://notcve.org/view.php?id=CVE-2025-22464
08 Apr 2025 — An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-822: Untrusted Pointer Dereference •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22461 – Ivanti Endpoint Manager OpenRecordSet SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-22461
08 Apr 2025 — SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the OpenRecordSet method. The issue results from the lack of proper validation of a user-supplied... • https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22459
https://notcve.org/view.php?id=CVE-2025-22459
08 Apr 2025 — Improper certificate validation in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to intercept limited traffic between clients and servers. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-296: Improper Following of a Certificate's Chain of Trust •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-22458 – Ivanti Endpoint Manager DLL Hijacking / Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-22458
08 Apr 2025 — DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System. The EPM Security Scan (Vulscan) Self Update is vulnerable to DLL hijacking. When it is installed on a client machine, by default, it creates a scheduled task as SYSTEM that when run, tries to load non-existent ZIP files from ProgramData. A malicious DLL can be inserted into one of the ZIP files which will be unzipped to and loaded from Program Files (x86) allowi... • https://packetstorm.news/files/id/193111 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.3EPSS: 2%CPEs: 1EXPL: 0CVE-2024-13162 – Ivanti Endpoint Manager updateAssetInfo SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-13162
14 Jan 2025 — SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the update... • https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13163 – Ivanti Endpoint Manager DecodeBase64Object Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-13163
14 Jan 2025 — Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternative... • https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 • CWE-502: Deserialization of Untrusted Data •