Ivanti, a mobile endpoint security vendor, has issued an urgent alert to users of its endpoint security product to patch a critical vulnerability. The vulnerability, tracked as CVE-2023-39336, is an SQL injection flaw that affects all supported versions of Ivanti Endpoint Manager (EPM). It allows attackers to execute malicious code without authentication, potentially compromising the security of affected networks. Ivanti EPM is designed to manage and secure endpoints, including desktops, laptops, servers, and IoT devices. The company has assigned a severity rating of 9.6 out of 10 to this vulnerability and recommends users apply the available patch promptly to mitigate the risk.
This is not the first time Ivanti has faced such a security issue. In August, the company disclosed a critical vulnerability in Ivanti Sentry gateway server, which could allow an attacker to take complete control of the server. The severity of that vulnerability, tracked as CVE-2023-38035, was also rated as 9.8. Ivanti has faced other software flaws in the past, with one being used in attacks on Norway government ministries.
SQL injection vulnerabilities occur when user input is not properly quoted by SQL syntax standards, allowing attackers to execute arbitrary SQL queries. In this case, an attacker with access to the internal network can leverage the SQL injection flaw to execute unauthorized code and gain control over machines running the EPM agent. Failure to address this vulnerability promptly could have severe consequences for affected networks.
Ivanti has emphasized the urgent need for users to apply the provided patch and has recommended that users prioritize its installation. The company warns that failure to do so could result in attackers exploiting the vulnerability to compromise the security of the affected networks.