CVE-2024-32846: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

An unspecified SQL injection vulnerability (CVE-2024-32846) affects Ivanti Endpoint Manager (EPM) versions before 2022 SU6 and the 2024 version prior to the September update. The vulnerability was discovered and reported through HackerOne, with the initial CVE record created on September 11, 2024 (NVD).

The vulnerability is classified as a SQL injection (CWE-89) that affects authenticated users with administrative privileges. It has received multiple CVSS severity ratings: NIST assigned a HIGH severity score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), while HackerOne rated it as CRITICAL with a score of 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution in the context of the system. Depending on the system privileges, an attacker could potentially install programs, view, change, or delete data (CIS Advisory).

Organizations should immediately update to Ivanti EPM 2022 SU6 or apply the 2024 September update after appropriate testing. It is recommended to follow the principle of least privilege and implement network segmentation to minimize potential impact (CIS Advisory).