CVE-2023-28323

Published: Jul 1, 2023Modified: May 5, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine or be used as a stepping stone to get to other network attached machines.

Affected (5)

Products: Ivanti: Endpoint Manager

Ivanti

1 product

Endpoint Manager

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Ivanti Endpoint Manager	Before 2022
Ivanti Endpoint Manager	Version 2022
Ivanti Endpoint Manager	Version 2022 su1
Ivanti Endpoint Manager	Version 2022 su2
Ivanti Endpoint Manager	Version 2022 su3

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://forums.ivanti.com/s/article/SA-2023-06-20-CVE-2023-28323

Source: support@hackerone.com

Vendor Advisory

https://forums.ivanti.com/s/article/SA-2023-06-20-CVE-2023-28323

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.