CVE-2026-1602
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary data from the database. It affects all Ivanti EPM installations before version 2024 SU5. Attackers must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, credentials, and endpoint information leading to lateral movement across the network.
Likely Case
Data exfiltration of endpoint management data, potentially exposing system configurations and sensitive organizational information.
If Mitigated
Limited data exposure if proper input validation and database permissions are enforced, though some data leakage may still occur.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit once identified. Requires authenticated access to the EPM web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US
Restart Required: Yes
Instructions:
1. Download Ivanti EPM 2024 SU5 or later from the Ivanti portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the EPM services after installation completes.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on all database queries in the EPM application
Database Permission Reduction
allRestrict database user permissions to minimum required for EPM functionality
🧯 If You Can't Patch
- Implement network segmentation to restrict access to EPM servers only to authorized administrators
- Enable detailed SQL query logging and monitor for suspicious database access patterns
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the web interface under Help > About or via the EPM consoleCheck Version:
For Windows: Check registry at HKLM\SOFTWARE\LANDesk\ManagementSuite\Version. For Linux: Check /opt/landesk/version.txtVerify Fix Applied:
Confirm version is 2024 SU5 or later and test SQL injection attempts are properly blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful authentication and database queries
- Large data extraction queries from EPM application user
Network Indicators:
- Unusual database traffic from EPM application servers
- SQL error messages in HTTP responses
SIEM Query:
source="epm_logs" AND ("sql" OR "database") AND ("error" OR "injection" OR "syntax")