Login Sign Up

CVE-2024-50326

7.2 HIGH
Remote Code Execution SQL Injection

📋 TL;DR

This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. Organizations using Ivanti EPM versions before the November 2024 security updates are affected.

💻 Affected Systems

Products:
  • Ivanti Endpoint Manager
Versions: All versions before 2024 November Security Update or 2022 SU6 November Security Update
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication to exploit

📦 What is this software?

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative access to the underlying server, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Database compromise leading to sensitive information disclosure, privilege escalation, and potential RCE on the EPM server.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and input validation controls are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit once identified, but this requires admin credentials

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024 November Security Update or 2022 SU6 November Security Update

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022

Restart Required: Yes

Instructions:

1. Download the November 2024 security update from Ivanti portal. 2. Apply the update following Ivanti's documentation. 3. Restart the EPM server and services.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to only trusted users and implement multi-factor authentication

Network Segmentation

all

Isolate EPM server from critical systems and implement firewall rules

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application layer
  • Deploy web application firewall with SQL injection rules

🔍 How to Verify

Check if Vulnerable:

Check EPM version in Ivanti console: Settings > About

Check Version:

Check Ivanti EPM console or review installed updates in Windows Control Panel

Verify Fix Applied:

Verify version shows 2024 November Security Update or 2022 SU6 November Security Update applied

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by admin access
  • Unexpected process execution on EPM server

Network Indicators:

  • Unusual outbound connections from EPM server
  • SQL query patterns in HTTP requests to EPM

SIEM Query:

source="epm_logs" AND (sql OR injection OR "exec sp_")

📊 Metadata

CVE ID: CVE-2024-50326
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 12, 2024
Last Updated: November 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50326, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)