CVE-2024-29822
📋 TL;DR
An unauthenticated SQL injection vulnerability in Ivanti EPM Core server allows attackers on the same network to execute arbitrary code. This affects Ivanti EPM 2022 SU5 and earlier versions. Attackers can potentially gain full control of affected systems.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation across the network.
Likely Case
Database compromise, credential theft, and installation of malware or backdoors on vulnerable EPM servers.
If Mitigated
Limited impact due to network segmentation, proper authentication requirements, and input validation controls preventing successful exploitation.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity. Unauthenticated access lowers the barrier for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024
Restart Required: Yes
Instructions:
1. Download and install Ivanti EPM 2022 SU6 or later from the Ivanti portal. 2. Apply the update to all affected Core servers. 3. Restart the EPM services or reboot the server as required.
🔧 Temporary Workarounds
Network Segmentation
allIsolate EPM Core servers from general network access using firewalls or VLANs
Input Validation Rules
allImplement WAF rules to detect and block SQL injection patterns
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to EPM Core servers only from authorized management systems
- Monitor EPM server logs for SQL injection patterns and unusual database queries
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the EPM console under Help > About. Versions 2022 SU5 and earlier are vulnerable.Check Version:
In EPM console: Navigate to Help > About to view version informationVerify Fix Applied:
Verify installation of 2022 SU6 or later in the EPM console and check that no SQL injection attempts are detected in logs.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in EPM logs
- Failed authentication attempts followed by database queries
- Multiple rapid requests with SQL-like patterns
Network Indicators:
- Unusual outbound connections from EPM servers
- Database connection attempts from unexpected sources
- SQL error messages in network traffic
SIEM Query:
source="epm_logs" AND ("sql" OR "query" OR "select" OR "union") AND NOT user="authorized_user"