The US Cybersecurity and Infrastructure Security Agency (CISA) has warned Ivanti customers of active exploitation of a critical Endpoint Manager (EPM) vulnerability allowing remote code execution (RCE) that the company fixed in May 2024.
Tracked as CVE-2024-29824, the flaw is a SQL injection vulnerability in the Ivanti EPM core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
The warning by CISA followed an October 1 update on the security advisory Ivanti issued in May, now adding “Ivanti has confirmed exploitation of CVE-2024-29824 in the wild. At the time of this update, we are aware of a limited number of customers who have been exploited.”
CISA has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalogue.
EPM raked with RCE flaws
The 2022 and prior releases of Ivanti’s EPM, available to customers under the label service update 5 (SU5), were marred with a clutch of critical RCE bugs, including CVE-2024-29824, all receiving a severity rating of CVSS 9.6 out of 10.
The solution, which allows organizations to manage, secure, and automate the maintenance of their devices, including desktops, laptops, servers, and mobile devices, within an IT environment, was reportedly affected by a flaw that allowed a string of malicious SQL queries to be executed on the underlying databases.
The other five critical SQL injection vulnerabilities were tagged as CVE-2024-29822, CVE-2024-29823, CVE-2024-29825, CVE-2024-29826, and CVE-2024-29827.
While the company did not disclose the technical details of the exploitation observed, horizon3ai, the cybersecurity firm specializing in pentesting, posted a proof-of-concept exploit on Github.
Ivanti did not respond to queries seeking details of the exploit.
Mitigation is limited to patching
Customers using the affected versions are advised to apply patches to their Ivanti endpoint solution and, in cases where patching isn’t possible, immediate discontinuation is recommended.
There is no evidence of exploitation in any ransomware attacks, CISA said in its KEV entry.
Ivanti has suffered quite a lot of invasions in 2024, compelling the IT management vendor to consider a security do-over in April 2024. In a letter addressed to its customers and partners, CEO Jeff Abbott, had reassured a revamp to strengthen controls.
“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure,” Abbott had said in the letter. “We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.”