Ivanti has disclosed a total of 18 new vulnerabilities in its Endpoint Manager software, which affect all versions of the software prior to the November 2024 security update.
All of the identified vulnerabilities allow attackers to execute remote code (RCE), making it imperative for organizations using the software to apply the latest security update immediately.
For detailed information on the vulnerabilities, and how to apply patches to protect your organization, please refer to the official advisory by Ivanti regarding this issue.
Breakdown of Vulnerabilities
The newly disclosed vulnerabilities encompass both path traversal and SQL injection flaws, allowing for unauthorized code execution by unauthenticated and authenticated attackers.
Here are some of the most critical identified vulnerabilities:
- CVE-2024-34787 – Path Traversal (High Severity, CVSS Score: 7.8)
This path traversal vulnerability allows a local unauthenticated attacker to execute arbitrary code on the EPM server. Exploiting this flaw requires user interaction, but once exploited, it enables the attacker to bypass normal access restrictions, potentially gaining full control of the server.
- CVE-2024-32839 – SQL Injection (High Severity, CVSS Score: 7.2)
This SQL injection vulnerability allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the EPM server. By injecting malicious SQL code, an attacker can manipulate database queries and potentially compromise sensitive data or server functionality.
- CVE-2024-50330 – SQL Injection (Critical Severity, CVSS Score: 9.8)
Among the most severe of the vulnerabilities, this SQL injection flaw can be exploited by a remote unauthenticated attacker to execute code on the EPM server without any user interaction or special privileges.
- CVE-2024-50329 – Path Traversal (High Severity, CVSS Score: 8.8)
This vulnerability allows an unauthenticated remote attacker to achieve code execution through a path traversal exploit. Like other path traversal vulnerabilities, this flaw enables attackers to access restricted files and execute code, potentially compromising the entire system.
Affected Versions
- Ivanti Endpoint Manager (EPM):
- All versions prior to the November 2024 security update
- 2022 SU6 September security update and earlier
Recommendation
- Install the latest security update from Ivanti.
- Apply the principle of least privilege across your network to restrict user and administrative access.
- Conduct regular penetration testing to identify these vulnerabilities within your systems before they become public knowledge.
Ivanti RCE Vulnerabilities Under Active Exploitation
In October 2024, CISA issued a warning regarding a particularly severe Ivanti vulnerability, CVE-2024-29824, which allows unauthenticated attackers to gain remote code execution capabilities on EPM appliances.
This SQL injection flaw affects EPM Core servers and has been actively exploited in real-world attacks. Ivanti initially patched this vulnerability in May 2024, but its presence on the CISA Known Exploited Vulnerabilities list shows that the risk remains high for unpatched systems.
A report by SecurityWeek further supports the claim that this CVE-2024-29824 vulnerability was exploited against a limited number of Ivanti customers.
Additionally, BleepingComputer reported on the increased exploitation of Ivanti vulnerabilities, including zero-day attacks on Ivanti’s VPN and Cloud Services Appliance products. With attackers chaining multiple vulnerabilities for more effective breaches, organizations worldwide are encouraged to prioritize patches across Ivanti’s product line.
