CVE-2024-13162

High

Published: 14 January 2025

Published

14 January 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4376 97.6th percentile

Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13162 is a high-severity SQL Injection (CWE-89) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the SQL injection flaw via patching as detailed in Ivanti's January-2025 security updates.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs to block SQL injection attacks that enable remote code execution.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates identification of the SQL injection vulnerability through vulnerability scanning, enabling prompt remediation.

NVD Description

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.

Deeper analysisAI

CVE-2024-13162 is a SQL injection vulnerability (CWE-89) affecting Ivanti Endpoint Manager (EPM) versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. It enables remote code execution and represents incomplete fixes for the earlier CVE-2024-32848. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility, low attack complexity, and a requirement for high privileges.

A remote authenticated attacker possessing admin privileges can exploit this SQL injection flaw to execute arbitrary code on the affected Ivanti EPM server. No user interaction is required, and the attack operates over the network with relatively low complexity once authentication is achieved.

Ivanti's security advisory at https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 details the January-2025 security updates for EPM 2024 and EPM 2022 SU6 as the primary mitigation, urging administrators to apply these patches promptly to address the vulnerability and its predecessor.

Details

CWE(s): CWE-89

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

CVEs Like This One

CVE-2025-9712Same product: Ivanti Endpoint Manager

CVE-2024-13158Same product: Ivanti Endpoint Manager

CVE-2024-13172Same product: Ivanti Endpoint Manager

CVE-2024-13169Same product: Ivanti Endpoint Manager

CVE-2024-13167Same product: Ivanti Endpoint Manager

CVE-2024-10811Same product: Ivanti Endpoint Manager

CVE-2024-13166Same product: Ivanti Endpoint Manager

CVE-2024-13161Same product: Ivanti Endpoint Manager

CVE-2026-1603Same product: Ivanti Endpoint Manager

CVE-2024-13165Same product: Ivanti Endpoint Manager

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75