CVE-2024-29826 – An unauthenticated SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2024-29826?

CVE-2024-29826 has a CVSS score of 8.8 (HIGH). An unauthenticated SQL injection vulnerability in Ivanti EPM Core server allows attackers on the same network to execute arbitrary code. This affects Ivanti EPM 2022 SU5 and earlier versions, potentially leading to full system compromise.

📋 TL;DR

An unauthenticated SQL injection vulnerability in Ivanti EPM Core server allows attackers on the same network to execute arbitrary code. This affects Ivanti EPM 2022 SU5 and earlier versions, potentially leading to full system compromise.

💻 Affected Systems

Products:

Ivanti Endpoint Manager (EPM)

Versions: 2022 SU5 and earlier

Operating Systems: Windows Server (EPM Core server deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Core server component specifically affected; requires network access to the EPM server

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, lateral movement across the network, and persistent backdoor installation.

🟠

Likely Case

Unauthorized database access, credential theft, and execution of arbitrary commands on the EPM server.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for database compromise within the segmented zone.

🌐 Internet-Facing: LOW (requires same network access, not directly internet exploitable)

🏢 Internal Only: HIGH (unauthenticated attacker on internal network can achieve RCE)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection to RCE chain likely requires specific payload construction but follows common patterns

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022 SU6 or later

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024

Restart Required: Yes

Instructions:

1. Download latest EPM patch from Ivanti portal. 2. Backup current configuration. 3. Apply patch following Ivanti documentation. 4. Restart EPM services. 5. Verify successful update.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to EPM Core server to only necessary administrative systems

Web Application Firewall

all

Deploy WAF with SQL injection rules in front of EPM server

🧯 If You Can't Patch

Implement strict network ACLs to limit access to EPM server to trusted IPs only
Monitor EPM server logs for SQL injection patterns and unusual database queries

🔍 How to Verify

Check if Vulnerable:

Check EPM version in administration console: if version is 2022 SU5 or earlier, system is vulnerable

Check Version:

Check via EPM web interface or review installation logs

Verify Fix Applied:

Verify EPM version shows 2022 SU6 or later in administration console

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in EPM logs
Multiple failed authentication attempts followed by complex queries
Database error messages containing SQL syntax

Network Indicators:

Unusual outbound connections from EPM server
SQL payloads in HTTP requests to EPM endpoints

SIEM Query:

source="epm_logs" AND ("sql" OR "query" OR "syntax") AND ("error" OR "unusual" OR "malformed")

📊 Metadata

CVE ID: CVE-2024-29826

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 31, 2024

Last Updated: November 21, 2024

🔗 References

https://forums.ivanti.com/s/article/Security-Advisory-May-2024 Vendor Advisory
https://forums.ivanti.com/s/article/Security-Advisory-May-2024 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29826, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Web Application Firewall

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities