CVE-2024-13162

High

Published: 14 January 2025

Published

14 January 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4376 97.5th percentile

Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Description

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.

Security Summary

CVE-2024-13162 is a SQL injection vulnerability (CWE-89) affecting Ivanti Endpoint Manager (EPM) versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. It enables remote code execution and represents incomplete fixes for the earlier CVE-2024-32848. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility, low attack complexity, and a requirement for high privileges.

A remote authenticated attacker possessing admin privileges can exploit this SQL injection flaw to execute arbitrary code on the affected Ivanti EPM server. No user interaction is required, and the attack operates over the network with relatively low complexity once authentication is achieved.

Ivanti's security advisory at https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 details the January-2025 security updates for EPM 2024 and EPM 2022 SU6 as the primary mitigation, urging administrators to apply these patches promptly to address the vulnerability and its predecessor.

Details

CWE(s): CWE-89

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75