CVE-2024-29824
📋 TL;DR
An unauthenticated SQL injection vulnerability in Ivanti EPM Core server allows attackers on the same network to execute arbitrary code. This affects Ivanti EPM 2022 SU5 and earlier versions. Attackers can potentially gain full control of affected systems.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.
Likely Case
Unauthenticated attackers gaining administrative access to the EPM server, allowing them to deploy malware, steal credentials, and pivot to other systems.
If Mitigated
If network segmentation and proper access controls are in place, impact may be limited to the EPM server itself without lateral movement.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024
Restart Required: Yes
Instructions:
1. Download Ivanti EPM 2022 SU6 or later from the Ivanti portal. 2. Backup current configuration and database. 3. Run the installer on the EPM server. 4. Restart the server after installation completes.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the EPM server to only trusted administrative systems
Firewall Rules
windowsImplement strict firewall rules to limit connections to the EPM server
netsh advfirewall firewall add rule name="Block EPM Ports" dir=in action=block protocol=TCP localport=1433,8080,8443 remoteip=any
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the EPM server from other critical systems
- Deploy web application firewall (WAF) with SQL injection protection rules in front of the EPM server
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the web interface or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\VersionCheck Version:
reg query "HKLM\SOFTWARE\LANDesk\ManagementSuite" /v VersionVerify Fix Applied:
Verify version is 2022 SU6 or later and test SQL injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in EPM logs
- Failed authentication attempts followed by SQL errors
- Unexpected process creation from EPM service
Network Indicators:
- SQL injection patterns in HTTP requests to EPM server
- Unusual outbound connections from EPM server
SIEM Query:
source="epm_logs" AND ("sql error" OR "injection" OR "syntax error")