CVE-2024-32848
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. It affects Ivanti EPM versions before 2022 SU6 and before the September 2024 update. Attackers with admin access can exploit this to compromise the entire EPM system.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the EPM server, deploying ransomware, stealing all managed endpoint credentials, and pivoting to other network systems.
Likely Case
Attacker with stolen admin credentials executes SQL injection to gain RCE, installs persistence mechanisms, and exfiltrates sensitive endpoint management data.
If Mitigated
With proper network segmentation, admin credential protection, and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
SQL injection to RCE chain is well-documented for Ivanti products. Requires admin credentials but exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 SU6 or September 2024 update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the patch from Ivanti portal. 2. Backup EPM database and configuration. 3. Apply the patch following Ivanti's installation guide. 4. Restart the EPM server. 5. Verify patch installation in EPM console.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to EPM management interface to only trusted administrative networks
Admin Account Hardening
allImplement MFA for all admin accounts and enforce strong password policies
🧯 If You Can't Patch
- Implement strict network access controls to limit EPM interface exposure
- Monitor all admin account activity and implement anomaly detection for SQL queries
🔍 How to Verify
Check if Vulnerable:
Check EPM version in console: Settings > About. If version is before 2022 SU6 or before September 2024 update, system is vulnerable.Check Version:
In EPM console: Navigate to Settings > About to view version informationVerify Fix Applied:
Verify version shows 2022 SU6 or later, or September 2024 update applied. Check patch installation logs for successful completion.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in EPM logs
- Multiple failed admin login attempts followed by successful login
- Unexpected process creation from EPM service account
Network Indicators:
- Unusual outbound connections from EPM server
- SQL injection patterns in HTTP requests to EPM management interface
SIEM Query:
source="epm_logs" AND ("sql" OR "query") AND ("union" OR "select" OR "exec" OR "xp_cmdshell")