CVE-2024-50330
📋 TL;DR
This critical SQL injection vulnerability in Ivanti Endpoint Manager allows remote unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution. All organizations running affected versions of Ivanti EPM are at risk, particularly those with internet-facing instances.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative control over the EPM server, lateral movement to connected endpoints, and data exfiltration.
Likely Case
Database compromise leading to credential theft, configuration manipulation, and installation of backdoors for persistent access.
If Mitigated
Limited impact with proper network segmentation and web application firewalls blocking SQL injection attempts.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized quickly. The unauthenticated nature and high CVSS score make this attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 November Security Update or 2022 SU6 November Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the November 2024 security update from Ivanti portal. 2. Backup your EPM database and configuration. 3. Apply the update following Ivanti's installation guide. 4. Restart the EPM services and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate EPM servers from internet access and restrict internal access to authorized networks only.
Web Application Firewall
allDeploy WAF with SQL injection protection rules in front of EPM web interface.
🧯 If You Can't Patch
- Immediately isolate the EPM server from all network access except absolutely required management connections.
- Implement strict network monitoring and alerting for any SQL injection attempts against the EPM web interface.
🔍 How to Verify
Check if Vulnerable:
Check EPM version in Administration Console > About. If version is before November 2024 security update (for 2024) or 2022 SU6 November update, you are vulnerable.Check Version:
Check via EPM web interface: Administration > About, or check Windows Programs and Features for Ivanti Endpoint Manager version.Verify Fix Applied:
Verify version shows the November 2024 security update applied. Test web interface functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful access
- Unexpected process creation from EPM service account
Network Indicators:
- SQL injection patterns in HTTP requests to EPM web endpoints
- Outbound connections from EPM server to unknown external IPs
SIEM Query:
source="epm_web_logs" AND (http_uri="*sql*" OR http_uri="*union*" OR http_uri="*select*" OR http_uri="*insert*")