CVE-2024-34780
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. Organizations using Ivanti EPM versions before the November 2024 security updates are affected. Attackers with admin credentials can exploit this to compromise the EPM server.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the EPM server leading to domain-wide endpoint control, credential theft, lateral movement, and persistent backdoor installation across managed endpoints.
Likely Case
Database compromise leading to sensitive information disclosure, privilege escalation, and limited code execution on the EPM server.
If Mitigated
Attack limited to authenticated admin users only, with network segmentation preventing lateral movement and EDR detecting anomalous SQL queries.
🎯 Exploit Status
SQL injection typically has low exploitation complexity, but requires admin credentials. No public exploit code available at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 November Security Update for EPM 2024 or 2022 SU6 November Security Update for EPM 2022
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the November 2024 security update from Ivanti portal. 2. Apply to EPM server. 3. Restart EPM services. 4. Verify patch installation through EPM console.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to EPM web interface to only necessary administrative networks
Admin Account Hardening
allImplement MFA for EPM admin accounts and review admin access permissions
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules in front of EPM
- Monitor for unusual SQL queries in EPM database logs and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check EPM version in console: Settings > About. If version is before November 2024 updates, system is vulnerable.Check Version:
Check EPM web interface or run: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Endpoint Manager*'}Verify Fix Applied:
Verify patch installation in EPM console and check that version shows November 2024 security updates applied.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in EPM database logs
- Multiple failed login attempts followed by admin login
- Unexpected process execution from EPM server
Network Indicators:
- Unusual outbound connections from EPM server
- SQL query patterns indicative of injection attempts
SIEM Query:
source="epm_logs" AND (sql_query CONTAINS "UNION" OR sql_query CONTAINS "SELECT * FROM" OR sql_query CONTAINS "xp_cmdshell")