CVE-2024-29824: Critical Vulnerability in Ivanti Endpoint Manager Actively Exploited, PoC Published

by do son · October 2, 2024

Successfully exploiting using Burp | Image: Horizon3

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical vulnerability in Ivanti Endpoint Manager (EPM), a widely used platform for managing client devices across Windows, macOS, Chrome OS, and IoT environments. The vulnerability, tracked as CVE-2024-29824, holds a CVSS severity score of 9.6, underscoring the potential threat it poses to organizations reliant on Ivanti’s solution.

This newly disclosed vulnerability lies within the Core server of Ivanti EPM versions 2022 SU5 and earlier. The flaw, classified as an SQL Injection vulnerability, enables an unauthenticated attacker within the same network to execute arbitrary code, potentially gaining complete control over affected systems. The root cause stems from the RecordGoodApp method, which fails to validate user-supplied input before using it in SQL queries. This oversight allows attackers to manipulate the SQL database, injecting malicious commands and leveraging the vulnerability to execute code under the service account’s context.

Security researcher from Horizon3 has not only disclosed the technical intricacies of the CVE-2024-29824 vulnerability but also released a proof-of-concept (PoC) exploit, making it easier for malicious actors to replicate the attack. One of the telltale signs of exploitation involves MS SQL logs showing the use of the xp_cmdshell command, which attackers commonly employ to execute system-level commands.

Although xp_cmdshell is a popular method for achieving remote code execution (RCE), experts warn that this may not be the sole avenue for exploitation. Organizations using Ivanti EPM are encouraged to thoroughly inspect their MS SQL logs for evidence of unauthorized commands.

In response to the discovery, CISA has added CVE-2024-29824 to its Known Exploited Vulnerabilities (KEV) catalog, flagging it as a critical threat. Federal agencies, in particular, are now required to patch their systems without delay, with CISA’s Binding Operational Directive (BOD) 22-01 mandating that all vulnerable servers must be patched by October 23, 2024.

Given the public availability of the proof-of-concept exploit and the high impact of the vulnerability, organizations that rely on Ivanti EPM are strongly urged to apply the patch immediately to mitigate the risk of exploitation.