Enterprise software provider Ivanti on Thursday warned of a critical-severity vulnerability in its Endpoint Manager (EPM) product that could be exploited for remote code execution (RCE).
Tracked as CVE-2023-39336, the issue is described as an SQL injection bug that could allow an attacker that has access to the internal network to “execute arbitrary SQL queries and retrieve output without the need for authentication”.
Successful exploitation of the vulnerability, Ivanti notes in its advisory, could allow the attacker to take over devices running the EPM agent.
“When the core server is configured to use SQL express, this might lead to RCE on the core server,” Ivanti notes.
CVE-2023-39336 impacts EPM 2022 Service Update 4 and all prior versions, including EPM 2021 iterations, the company explains. Ivanti EPM 2022 Service Update 5 resolves the bug.
The US-based software provider has not made further details on the flaw available publicly, instead limiting access to customers only, likely to provide them with more time to apply the patches.
Ivanti makes no mention of the vulnerability being targeted in the wild, but security defects in its products are known to have been exploited in malicious attacks, including as zero-days.
One of the most recent such examples is CVE-2023-38035, a critical-severity issue in Ivanti’s Sentry mobile gateway. It was patched in late August 2023, after being exploited as a zero-day against some of the company’s customers.
The month before, Ivanti addressed CVE-2023-35078 and CVE-2023-35081, two exploited bugs in its Endpoint Manager Mobile (EPMM) product. Both issues had been exploited as zero-days, likely by state-sponsored attackers, with CVE-2023-35078 likely exploited since at least April 2023, in attacks targeting the Norwegian government.
Related: Ivanti Patches Dozen Critical Vulnerabilities in Avalanche MDM Product
Related: Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability
Related: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution