WARNING: IVANTI ENDPOINT MANAGER CRITICAL VULNERABILITY

An attacker with access to the local network can exploit a vulnerability in Ivanti Endpoint Manager (EPM) to gain control of all devices with the EPM agent installed. This could result in a complete compromise of all enrolled machines in your organization.

 

The Centre for Cybersecurity Belgium warns that Ivanti products have been exploited by threat actors in the past.

CVE-2023-39336 is an SQL injection vulnerability allowing an attacker to execute arbitrary SQL queries and retrieve output without the need for authentication. This vulnerability can be used to control other machines running the EPM agent software. 

 

Additionally, if the server on which Ivanti EPM is installed uses SQL Express, this vulnerability could lead to remote code execution (RCE) on the host server.

Ivanti has not yet publicly disclosed the details of this vulnerability. 

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The latest version for Ivanti EPM at the time of writing is 2022 SU5.

 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

 

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.