Ivanti has successfully resolved a critical remote code execution (RCE) vulnerability found in its Endpoint Management software (EPM). This flaw, identified as CVE-2023-39366, posed a significant risk as unauthenticated attackers could potentially hijack devices enrolled in the system or compromise the core server. Ivanti EPM is designed to manage client devices on various platforms, including Windows, macOS, Chrome OS, and IoT operating systems. The vulnerability, present in all supported Ivanti EPM versions, has been addressed with the release of version 2022 Service Update 5.
The security flaw allowed attackers with access to a target’s internal network to exploit it through low-complexity attacks that didn’t require privileges or user interaction. The nature of the vulnerability involved an unspecified SQL injection, enabling the execution of arbitrary SQL queries without the need for authentication. This could lead to the attacker gaining control over machines running the EPM agent. In cases where the core server was configured to use SQL express, it might even result in remote code execution (RCE) on the core server.
While Ivanti reports no evidence of customer impact from this vulnerability, the company has taken proactive measures to secure its users. Ivanti has blocked public access to the advisory containing detailed information about CVE-2023-39366. This strategic move aims to provide Ivanti’s customers with additional time to secure their devices before potential threat actors could exploit the vulnerability using the disclosed details.
