On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) classified a vulnerability affecting Ivanti Endpoint Manager (EPM) as a Known Exploited Vulnerability (KEV), following findings of active exploitation. This security flaw was addressed by Ivanti in a May update, underscoring its significance within the cybersecurity landscape.
The vulnerability, designated as CVE-2024-29824, has been assigned a critical CVSS score of 9.6, indicating a significant risk for affected systems. According to Ivanti’s advisory released on May 21, 2024, an unspecified SQL Injection vulnerability in the Core server of EPM 2022 SU5 and earlier versions enables unauthenticated attackers on the same network to execute arbitrary code.
The root of the vulnerability has been traced to a function known as RecordGoodApp() within a dynamic link library (DLL) called PatchBiz.dll. This issue arises from inadequate handling of SQL statements by this function, allowing attackers to utilize xp_cmdshell for remote code execution.
Although detailed exploitation methods in real-world scenarios remain largely undisclosed, Ivanti has confirmed that exploitation of CVE-2024-29824 has occurred and reported targeting of “a limited number of customers.” This incident highlights the growing appeal of vulnerabilities in Ivanti products for malicious actors, as multiple flaws have been actively exploited within a short time frame.
Recent reports indicate that at least four separate vulnerabilities in Ivanti appliances, including CVE-2024-8190 and CVE-2024-8963, have been subjected to active attacks. These vulnerabilities range from command injection to path traversal and authentication bypass, collectively presenting a notable risk to organizations using Ivanti products.
In compliance with federal mandates, agencies must upgrade their deployments to the latest versions by October 23, 2024, as a precaution against ongoing threats. The potential tactics used by adversaries in these exploits could align with various aspects of the MITRE ATT&CK framework, including initial access, where attackers may leverage these vulnerabilities to gain footholds in targeted networks, and privilege escalation techniques that enable them to execute malicious commands.
Maintaining awareness of such vulnerabilities is essential for organizations striving to protect their networks from increasingly sophisticated cybersecurity threats. The nature of these vulnerabilities illustrates that even well-established software can harbor significant risks, reinforcing the necessity for continuous vigilance and timely updates to defensive measures.
