CVE-2024-50328
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated administrators to execute arbitrary SQL commands, potentially leading to remote code execution. It affects Ivanti EPM versions before the November 2024 security update for 2024 versions or before the November 2024 security update for 2022 SU6. Only authenticated users with admin privileges can exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin credentials achieves full system compromise through SQL injection leading to remote code execution, potentially gaining complete control over the EPM server and connected endpoints.
Likely Case
Privileged insider or compromised admin account uses SQL injection to execute arbitrary commands, potentially accessing sensitive data or modifying system configurations.
If Mitigated
With proper access controls, network segmentation, and admin credential protection, exploitation is limited to authorized administrators who should already have extensive system access.
🎯 Exploit Status
Requires admin credentials and SQL injection knowledge. No public exploit code available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: November 2024 Security Update for EPM 2024 or November 2024 Security Update for EPM 2022 SU6
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the November 2024 security update from the Ivanti support portal. 2. Backup your EPM database and configuration. 3. Apply the update following Ivanti's installation guide. 4. Restart the EPM server services. 5. Verify successful installation through the EPM console.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to only essential personnel and implement multi-factor authentication for all admin accounts.
Network Segmentation
allIsolate EPM servers from internet access and restrict internal network access to only necessary management systems.
🧯 If You Can't Patch
- Implement strict access controls and monitor all admin account activity
- Deploy web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the console under Help > About. If version is before the November 2024 security update, the system is vulnerable.Check Version:
In EPM console: Navigate to Help > About to view version informationVerify Fix Applied:
Verify the installed update appears in the EPM console under Updates/Patches section and version number reflects the November 2024 security update.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in EPM database logs
- Multiple failed login attempts followed by successful admin login
- Unexpected process execution from EPM server
Network Indicators:
- Unusual database connections from EPM server
- Suspicious outbound connections from EPM server
SIEM Query:
source="epm_logs" AND (sql_injection_terms OR "exec" OR "xp_cmdshell")