Ivanti EPM SQL Injection Flaw Allows Remote Code Execution

Bar Refael

June 16, 2024

On May 24, 2024, the Zero-Day Initiative released a security advisory for a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), designated CVE-2024-29824, with a severity rating of 9.6. The flaw resides in the “RecordGoodApp” function within the PatchBiz.dll file, allowing attackers to execute arbitrary code via SQL injection. Researchers from Horizon3 have published a proof-of-concept, demonstrating how this vulnerability can be exploited using the xp_cmdshell command to achieve remote code execution. This vulnerability can be triggered through the /WSStatusEvents endpoint, making it a significant threat. Ivanti EPM users are strongly advised to upgrade to the latest version to mitigate this risk. The exploit code is available on GitHub, and monitoring MS SQL logs for suspicious use of xp_cmdshell is recommended to detect potential exploitation.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox