--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in Ivanti EPM' number: '2024-094' version: '1.0' original_date: '2024-09-10' date: '2024-09-11' --- _History:_ * _11/09/2024 --- v1.0 -- Initial publication_ # Summary On September 10, 2024, Ivanti addressed several critical and high security vulnerabilities its Endpoint Manager (EPM) product [1]. It is recommended updating as soon as possible. # Technical Details The most severe vulnerability, **CVE-2024-29847**, with a CVSS score of 10, is due to improper input validation which could lead to deserialisation of untrusted data in the agent portal of Ivanti EPM. It could allow a remote unauthenticated attacker to achieve remote code execution. The vulnerabilities **CVE-2024-32840**, **CVE-2024-32842**, **CVE-2024-32843**, **CVE-2024-32845**, **CVE-2024-32846**, **CVE-2024-32848** and **CVE-2024-34779**, with a CVSS score of 9.1, are SQL injection flaws in Ivanti EPM. They could allow an authenticated remote attacker with admin privileges to achieve remote code execution on the server. # Affected Products The following product versions are affected [1]: - Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier. - Ivanti Endpoint Manager (EPM) 2024. # Recommendations CERT-EU strongly recommends updating affected devices as soon as possible. # References [1]