CVE-2024-32845
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. It affects Ivanti EPM versions before 2022 SU6 and before the September 2024 update. Attackers with admin credentials can exploit this to compromise affected systems.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the EPM server, potentially pivoting to other systems in the network.
Likely Case
Data exfiltration, privilege escalation, or lateral movement within the network using compromised EPM server.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit once discovered. Requires admin credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or September 2024 update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti portal. 2. Backup EPM database and configuration. 3. Apply the patch following Ivanti documentation. 4. Restart EPM services. 5. Verify successful update.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to EPM to only necessary personnel and from trusted networks.
Network Segmentation
allIsolate EPM server from internet and restrict internal access to specific IP ranges.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the EPM web interface
- Enforce multi-factor authentication for all EPM admin accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check EPM version in Administration Console under Help > About. If version is earlier than 2022 SU6 or September 2024 update, system is vulnerable.Check Version:
In EPM console: Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\VersionVerify Fix Applied:
Verify version shows 2022 SU6 or later, or September 2024 update applied. Test SQL injection attempts should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in EPM logs
- Multiple failed login attempts followed by admin access
- Unexpected database operations
Network Indicators:
- SQL injection patterns in HTTP requests to EPM web interface
- Unusual outbound connections from EPM server
SIEM Query:
source="epm_logs" AND ("sql" OR "injection" OR "exec" OR "xp_cmdshell")