CVE-2023-39336: Remote Code Execution Vulnerability Found in Ivanti EPM

Note: Kroll experts are still investigating this vulnerability. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

Ivanti released a patch for a critical vulnerability discovered in Ivanti Endpoint Manager (EPM) that could allow for remote code execution (RCE). This vulnerability is being tracked as CVE-2023-39336 with a CVSS score of 9.6 (Critical), which is not yet actively exploited. All versions of Ivanti EPM prior to Service Update 5 are impacted.

Ivanti credits security researcher hir0t for the responsible disclosure.

If exploited, this vulnerability could allow an attacker with access to the internal network to leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker to have control over machines running the EPM agent. If the core server is configured to use SQL express, it could lead to RCE on the core server.

Analysis

While no technical details of the exploit have yet been shared, threat actors are often quick to leverage new vulnerabilities affecting the platform or even develop zero-days for them.

To exploit this vulnerability, threat actors must have gained access to the victim environment. Therefore, the impact of this vulnerability may be limited. However, endpoint management systems are attractive targets for threat actors because they provide elevated access to thousands of devices, which may be leveraged by threat actors to move laterally within an environment or conduct ransomware attacks.

The Kroll Cyber Threat Intelligence (CTI) team recommends organizations to install Ivanti EPM 2022 Service Update 5.