Introduction
A SQL injection flaw in the Ivanti Endpoint Manager web console gives authenticated attackers a direct path to remote code execution on one of the most widely deployed endpoint management platforms in enterprise IT. With Ivanti serving over 40,000 customers and CISA having already flagged 33 Ivanti vulnerabilities as exploited in the wild, CVE-2026-8111 lands in an environment where threat actors are actively watching for new attack surface in Ivanti products.
Technical Information
CVE-2026-8111 is a SQL injection vulnerability classified under CWE-89. It resides specifically in the web console component of Ivanti Endpoint Manager, the centralized management interface administrators use to manage endpoints across their organization.
The CVSS 3.0 vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Attacker needs a valid low privilege account |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact stays within the vulnerable component |
| Confidentiality | High | Full read access to data |
| Integrity | High | Full modification capability |
| Availability | High | Complete denial of service possible |
The core issue is that user controlled input within the web console is not properly sanitized before being incorporated into SQL queries. An attacker who has authenticated to the EPM web console with even minimal privileges can inject malicious SQL statements through one or more input fields or parameters.
The escalation from SQL injection to remote code execution is the critical aspect of this vulnerability. In endpoint management platforms backed by SQL Server (which is common for Ivanti EPM), SQL injection can be leveraged to execute operating system commands through database features such as xp_cmdshell or by writing files to disk via OPENROWSET or similar mechanisms. The CVSS score of 8.8 with high impact across all three CIA triad categories confirms that exploitation yields full system compromise, not merely data disclosure.
Attack Flow
Based on the available information, the exploitation path follows this general sequence:
- The attacker authenticates to the Ivanti EPM web console using valid credentials with low privilege level. This could be a standard operator account or any role with web console access.
- The attacker identifies an input parameter in the web console that is vulnerable to SQL injection.
- Malicious SQL is injected through the vulnerable parameter, bypassing any input validation or parameterization that should be in place.
- The injected SQL is executed by the backend database with the privileges of the database service account.
- The attacker leverages database capabilities to escalate from SQL execution to operating system command execution, achieving full remote code execution on the EPM server.
This vulnerability was patched alongside two other security flaws in the May 2026 advisory:
| CVE | Description | CVSS | CWE |
|---|---|---|---|
| CVE-2026-8109 | Exposed dangerous method on Core Server leaks access credentials | 6.5 | CWE-749 |
| CVE-2026-8110 | Incorrect permissions in agent allows local privilege escalation | 7.8 | CWE-732 |
| CVE-2026-8111 | SQL injection in web console allows remote code execution | 8.8 | CWE-89 |
The combination of these three vulnerabilities is worth noting. CVE-2026-8109 could potentially provide the initial credentials an attacker needs to then exploit CVE-2026-8111, creating a chained attack scenario where an unauthenticated attacker first leaks credentials and then uses them to achieve RCE via SQL injection.
Affected Systems and Versions
The vulnerability affects Ivanti Endpoint Manager versions 2024 SU5 and all prior versions. Specifically, any installation of Ivanti EPM that has not been updated to version 2024 SU6 is vulnerable. The fix is available exclusively in Ivanti EPM 2024 SU6, which can be obtained through the Ivanti License System.
Vendor Security History
Ivanti has a notable history of security vulnerabilities across its product portfolio. The company became more widely known in the security community following incidents related to its VPN hardware products. To date, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, with 12 of those having been abused by various ransomware operations.
The timing of CVE-2026-8111 is particularly relevant. In the same month (May 2026), CISA added CVE-2026-6973, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities Catalog based on confirmed active exploitation. That flaw allowed remote attackers with administrative privileges to execute arbitrary code. While EPM and EPMM are distinct products, the pattern of active exploitation across the Ivanti product line underscores the urgency of patching CVE-2026-8111 before threat actors develop working exploits.
The vulnerability was responsibly disclosed through Ivanti's disclosure program in coordination with the Trend Zero Day Initiative. Ivanti has stated they are not aware of any customers being exploited prior to public disclosure, and no indicators of compromise have been published.
References
- Ivanti Security Advisory: Ivanti Endpoint Manager (EPM) May 2026
- CISA Adds One Known Exploited Vulnerability to Catalog (May 2026)
- Ivanti warns of new EPMM flaw exploited in zero day attacks (BleepingComputer)
- Ivanti Wikipedia
- Canadian Centre for Cyber Security Advisory AV26-068
- CIS Advisory: Multiple Vulnerabilities in Ivanti Endpoint Manager Mobile



