Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)
The National Vulnerability Database has detailed CVE-2026-8111, a high-severity SQL injection vulnerability affecting Ivanti Endpoint Manager prior to version 2024 SU6. This flaw, rated 8.8 CVSS, resides in the web console and allows a remote authenticated attacker to execute arbitrary code. This isn’t just a data leak; it’s full system compromise.
Attackers leveraging this vulnerability gain deep control, moving beyond mere data exfiltration to potentially establish persistence and pivot deeper into the network. The fact that it requires authentication should not be a comfort — compromised credentials are a dime a dozen, and insider threats are always a factor. An authenticated attacker with RCE on an endpoint management solution has the keys to your kingdom, capable of impacting every managed device.
Defenders must prioritize patching Ivanti Endpoint Manager to version 2024 SU6 immediately. Beyond patching, review access logs for the web console for any unusual activity, especially failed login attempts or access from unexpected IP addresses. Consider implementing stricter access controls and multi-factor authentication for all administrative interfaces, including your EPM solution.
What This Means For You
- If your organization uses Ivanti Endpoint Manager, you are exposed to remote code execution. Verify your version immediately and apply the 2024 SU6 update without delay. Audit web console logs for any suspicious activity pre-patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8111 - Ivanti Endpoint Manager SQL Injection RCE
title: CVE-2026-8111 - Ivanti Endpoint Manager SQL Injection RCE
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects potential exploitation of CVE-2026-8111 by looking for requests to the Ivanti Endpoint Manager login page with specific parameters that are known to be vulnerable to SQL injection, leading to RCE. This rule targets the initial access vector.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8111/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/userportal/Login.dll'
cs-uri-query|contains:
- 'username='
- 'password='
sc-status:
- 200
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8111 | SQLi | Ivanti Endpoint Manager before version 2024 SU6 |
| CVE-2026-8111 | RCE | Ivanti Endpoint Manager before version 2024 SU6 |
| CVE-2026-8111 | SQLi | web console of Ivanti Endpoint Manager |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)
CVE-2026-8110 — Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.
Ivanti Virtual Traffic Manager RCE via OS Command Injection
CVE-2026-8051 — OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code...