ZeroPath at Black Hat USA 2026

Ivanti Endpoint Manager CVE-2026-8111: Brief Summary of SQL Injection to Remote Code Execution

A brief summary of CVE-2026-8111, a high severity SQL injection vulnerability in the Ivanti Endpoint Manager web console that enables authenticated remote code execution, patched in version 2024 SU6.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Ivanti Endpoint Manager CVE-2026-8111: Brief Summary of SQL Injection to Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A SQL injection flaw in the Ivanti Endpoint Manager web console gives authenticated attackers a direct path to remote code execution on one of the most widely deployed endpoint management platforms in enterprise IT. With Ivanti serving over 40,000 customers and CISA having already flagged 33 Ivanti vulnerabilities as exploited in the wild, CVE-2026-8111 lands in an environment where threat actors are actively watching for new attack surface in Ivanti products.

Technical Information

CVE-2026-8111 is a SQL injection vulnerability classified under CWE-89. It resides specifically in the web console component of Ivanti Endpoint Manager, the centralized management interface administrators use to manage endpoints across their organization.

The CVSS 3.0 vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:

MetricValueMeaning
Attack VectorNetworkExploitable remotely over the network
Attack ComplexityLowNo special conditions required
Privileges RequiredLowAttacker needs a valid low privilege account
User InteractionNoneNo victim action needed
ScopeUnchangedImpact stays within the vulnerable component
ConfidentialityHighFull read access to data
IntegrityHighFull modification capability
AvailabilityHighComplete denial of service possible

The core issue is that user controlled input within the web console is not properly sanitized before being incorporated into SQL queries. An attacker who has authenticated to the EPM web console with even minimal privileges can inject malicious SQL statements through one or more input fields or parameters.

The escalation from SQL injection to remote code execution is the critical aspect of this vulnerability. In endpoint management platforms backed by SQL Server (which is common for Ivanti EPM), SQL injection can be leveraged to execute operating system commands through database features such as xp_cmdshell or by writing files to disk via OPENROWSET or similar mechanisms. The CVSS score of 8.8 with high impact across all three CIA triad categories confirms that exploitation yields full system compromise, not merely data disclosure.

Attack Flow

Based on the available information, the exploitation path follows this general sequence:

  1. The attacker authenticates to the Ivanti EPM web console using valid credentials with low privilege level. This could be a standard operator account or any role with web console access.
  2. The attacker identifies an input parameter in the web console that is vulnerable to SQL injection.
  3. Malicious SQL is injected through the vulnerable parameter, bypassing any input validation or parameterization that should be in place.
  4. The injected SQL is executed by the backend database with the privileges of the database service account.
  5. The attacker leverages database capabilities to escalate from SQL execution to operating system command execution, achieving full remote code execution on the EPM server.

This vulnerability was patched alongside two other security flaws in the May 2026 advisory:

CVEDescriptionCVSSCWE
CVE-2026-8109Exposed dangerous method on Core Server leaks access credentials6.5CWE-749
CVE-2026-8110Incorrect permissions in agent allows local privilege escalation7.8CWE-732
CVE-2026-8111SQL injection in web console allows remote code execution8.8CWE-89

The combination of these three vulnerabilities is worth noting. CVE-2026-8109 could potentially provide the initial credentials an attacker needs to then exploit CVE-2026-8111, creating a chained attack scenario where an unauthenticated attacker first leaks credentials and then uses them to achieve RCE via SQL injection.

Affected Systems and Versions

The vulnerability affects Ivanti Endpoint Manager versions 2024 SU5 and all prior versions. Specifically, any installation of Ivanti EPM that has not been updated to version 2024 SU6 is vulnerable. The fix is available exclusively in Ivanti EPM 2024 SU6, which can be obtained through the Ivanti License System.

Vendor Security History

Ivanti has a notable history of security vulnerabilities across its product portfolio. The company became more widely known in the security community following incidents related to its VPN hardware products. To date, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, with 12 of those having been abused by various ransomware operations.

The timing of CVE-2026-8111 is particularly relevant. In the same month (May 2026), CISA added CVE-2026-6973, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities Catalog based on confirmed active exploitation. That flaw allowed remote attackers with administrative privileges to execute arbitrary code. While EPM and EPMM are distinct products, the pattern of active exploitation across the Ivanti product line underscores the urgency of patching CVE-2026-8111 before threat actors develop working exploits.

The vulnerability was responsibly disclosed through Ivanti's disclosure program in coordination with the Trend Zero Day Initiative. Ivanti has stated they are not aware of any customers being exploited prior to public disclosure, and no indicators of compromise have been published.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization