bdu,nvd,anchore_overrides
Ivanti
Vulnerabilities
724
Known exploited
34
Critical
171
High
411
Top products
Avalanche189Connect Secure166Endpoint Manager116Policy Secure108Ivanti Endpoint Manager72Endpoint Manager Mobile28Secure Access Client28Workspace Control28Zero Trust Access Gateway17Ivanti Endpoint Manager Mobile16Neurons For Secure Access15Ivanti Cloud Services Appliance11Cloud Services Appliance7Desktop \& Server Management7Landesk Management Suite7Ivanti Neurons For Itsm6Neurons For Itsm6Endpoint Manager Cloud Services Appliance5Neurons For Zero-trust Access5Standalone Sentry4
Top vulnerabilities
CVE-2026-10520An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
CVE-2021-22893Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
CVE-2019-11510In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .
CVE-2016-4787Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.
BDU:2026-08029Уязвимость встроенного мобильного шлюза безопасности Ivanti Sentry связана с непринятием мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код с правами root
BDU:2024-11068Уязвимость веб-консоли сетевого средства автоматизации процессов управления ИТ-услугами Ivanti Cloud Services Appliance связана с обходом процедуры аутентификации посредством использования альтернативного пути или канала. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить административный доступ
BDU:2024-06794Уязвимость программного средства управления конечными точками Ivanti EPM связана с недостатками механизма десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код
BDU:2024-05798Уязвимость приложения для управления жизненным циклом мобильных устройств и мобильных приложений Ivanti Endpoint Manager Mobile (EPMM) (ранее MobileIron Core) связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, обойти процесс аутентификации
BDU:2023-04168Уязвимость приложения для управления жизненным циклом мобильных устройств и мобильных приложений Ivanti Endpoint Manager Mobile (EPMM) (ранее MobileIron Core) связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии
CVE-2023-46808An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.
CVE-2020-13774An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.
BDU:2025-01566Уязвимость средства контроля сетевого доступа Ivanti Connect Secure связана с чтением данных за границами буфера в памяти. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
CVE-2026-5788An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.
CVE-2026-1340A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
CVE-2026-1281A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
CVE-2025-22462An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
CVE-2025-22457A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-8191SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-7593Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
CVE-2024-7569An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
CVE-2024-50330SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2024-47010Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-47009Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
CVE-2024-36130An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.
CVE-2024-29847Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.