On 4 January 2024, Ivanti released an advisory concerning a critical severity vulnerability tracked as CVE-2023-39336 (CVSS score estimated to be 9.6) impacting Endpoint Manager (EPM) 2022 SU4 and all prior versions.
The flaw enables a potential unauthenticated attacker with internal network access to leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output. Ramifications of the attack may include full takeover of the machines running the EPM agent. Additionally when the core server is configured to use Microsoft SQL Express, this might lead to remote code execution on the core server.