Ivanti is warning users of its Endpoint Management service about a serious security vulnerability that could allow a device to be taken over remotely without authentication. A patch for this bug has now been released.

Ivanti traces the error to a name CVE-2023-39336. It gets a CVSS score of 9.6. The company says In a blog post There are no indications that customers have been affected by the flaw, but it recommends that customers update their software. A fix for the bug is included in Ivanti EPM 2022 Service Update 5.

For the attack to be successful, the attacker must first have access to the internal network. Once this access is established, the attacker can execute new SQL queries via undescribed SQL injection. For example, it is possible to filter data from the server.

Using these commands, it will also be possible to take control of devices running Ivanti’s Endpoint Manager software. If SQL is enabled on the primary server, an attacker can also take over that server. According to Ivanti, these actions could have been performed without requiring further user authentication.

This is the second time in a relatively short period that Ivanti has been in the news for a serious security vulnerability. This also happened in July last year. It then emerged that Norwegian government systems had been compromised using Ivanti’s mobile EPM zero-day. It was also possible to carry out an attack without authentication.