Medium

SQL Injection in Ivanti Endpoint Manager

IdentifiersCVE-2026-1602CWE-89· Improper Neutralization of Special…

CVE-2026-1602 is an SQL injection vulnerability in Ivanti Endpoint Manager (EPM) affecting versions before 2024 SU5, including EPM 2024 SU4 SR1 and earlier. The flaw is described as existing within the ROI class and is caused by improper validation of a user-supplied string before it is incorporated into SQL queries. Publicly available source material is somewhat inconsistent on ultimate impact: vendor/advisory-style content states the issue allows a remote authenticated attacker to read arbitrary data from the database, while ZDI-derived summary material states the SQL injection can be leveraged further to achieve remote code execution in the context of the EPM service account. At minimum, the vulnerability enables arbitrary database read access through crafted authenticated requests to the vulnerable application logic.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Confirmed impact is unauthorized disclosure of arbitrary data from the Ivanti Endpoint Manager database by a remote authenticated attacker, resulting in a confidentiality breach. Depending on deployment and based on the ZDI-derived summary, the SQL injection may also be exploitable for arbitrary code execution in the context of the EPM service account, which would materially expand impact to integrity and availability and could enable follow-on compromise of the EPM server and managed environment. The provided content is not fully consistent on this point, so database data exposure is the minimum verified impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the EPM application to trusted administrative users and networks only, minimize the number of accounts that can authenticate to the vulnerable interface, enforce least privilege for the application and backing database/service accounts, and increase monitoring for suspicious activity against EPM, including anomalous query behavior and signs of attempted SQL injection. Because mitigation does not remove the underlying flaw, patching to 2024 SU5 remains the required corrective action. Also review systems for signs of prior unauthorized access, since upgrading prevents future exploitation but does not remediate any earlier compromise.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager to version 2024 SU5 or later. The content states that EPM 2024 SU4 SR1 and earlier are affected and that Ivanti issued fixes in EPM 2024 SU5, available through the Ivanti License System. Apply the vendor security update promptly across all affected EPM deployments.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiEndpoint Managerapplication

IvantiEndpoint Manager (Epm)application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Feb 10, 2026

Ivanti Endpoint Manager Vulnerability Lets Remote Attacker Leak Arbitrary Data

A SQL injection vulnerability in Ivanti Endpoint Manager (EPM) that allows remote authenticated attackers to read arbitrary data from the database.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-1602

NVD

nvd.nist.gov/vuln/detail/CVE-2026-1602

MITRE CWE · CWE-89

Improper Neutralization of Special Elements…

Vendor Advisory

hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US