On May 24, 2024, the Zero-Day Initiative released a security advisory for a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), designated CVE-2024-29824, with a severity rating of 9.6. The flaw resides in the “RecordGoodApp” function within the PatchBiz.dll file, allowing attackers to execute arbitrary code via SQL injection. Researchers from Horizon3 have published a proof-of-concept, demonstrating how this vulnerability can be exploited using the xp_cmdshell command to achieve remote code execution. This vulnerability can be triggered through the /WSStatusEvents endpoint, making it a significant threat. Ivanti EPM users are strongly advised to upgrade to the latest version to mitigate this risk. The exploit code is available on GitHub, and monitoring MS SQL logs for suspicious use of xp_cmdshell is recommended to detect potential exploitation.
Ivanti EPM SQL Injection Flaw Allows Remote Code Execution
Bar Refael
June 16, 2024
Get the latest cybersecurity alerts and insights
Sign up for OP Innovate's Cyber Threat Alerts
