CISA has added a critical vulnerability in Ivanti’s Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation. The flaw, identified as CVE-2024-29824, was patched in May and holds a CVSS severity score of 9.6/10.
The vulnerability, an SQL injection issue in the Core server of EPM 2022 SU5 and earlier versions, allows unauthenticated attackers on the same network to execute arbitrary code. Ivanti confirmed exploitation of this flaw, noting that a small number of customers had been affected.
Horizon3.ai previously released a proof-of-concept (PoC) exploit in June, highlighting a weakness in the RecordGoodApp() function within PatchBiz.dll, which improperly handles SQL queries, enabling remote code execution through xp_cmdshell.
The exact methods of the ongoing attacks remain unclear, but this incident marks the fourth Ivanti vulnerability exploited in just a month, reinforcing the appeal of the company’s products as a target for cybercriminals. Other vulnerabilities include:
- CVE-2024-8190 (OS command injection in Cloud Service Appliance, CVSS 7.2)
- CVE-2024-8963 (Path traversal in Cloud Service Appliance, CVSS 9.4)
- CVE-2024-7593 (Authentication bypass in Virtual Traffic Manager, CVSS 9.8)
Federal agencies have been instructed to apply the necessary updates by October 23, 2024, to protect against these active threats.
