Critical Ivanti Vulnerability Actively Exploited, CISA Issues Warning

October 2, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited, critical vulnerability in Ivanti's Endpoint Manager (EPM) appliances. The flaw, tracked as CVE-2024-29824, allows threat actors to gain remote code execution capabilities. Ivanti EPM is a comprehensive endpoint management solution that enables administrators to manage client devices across various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.

The vulnerability is a SQL Injection flaw in Ivanti EPM's Core server. It can be exploited by unauthenticated attackers within the same network to execute arbitrary code on unpatched systems. Ivanti had released security updates to fix this flaw in May, along with patches for five other remote code execution bugs in EPM's Core server. All these vulnerabilities impacted Ivanti EPM 2022 SU5 and earlier versions.

Security researchers from Horizon3.ai published a detailed analysis of CVE-2024-29824 in June and released a proof-of-concept exploit on GitHub. This exploit can be used to 'blindly execute commands on vulnerable Ivanti EPM appliances.' The researchers also suggested administrators review MS SQL logs for evidence of xp_cmdshell being used to achieve command execution as a sign of potential exploitation.

Ivanti updated its original security advisory to confirm that CVE-2024-29824 is being exploited in the wild. The company stated, 'At the time of this update, we are aware of a limited number of customers who have been exploited.' Following this, CISA added the Ivanti EPM RCE flaw to its Known Exploited Vulnerabilities catalog, indicating that it is being actively exploited. As per the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are now required to secure vulnerable appliances within three weeks, by October 23.

While CISA's catalog primarily alerts federal agencies to vulnerabilities that should be patched immediately, organizations worldwide should also prioritize patching this vulnerability to prevent ongoing attacks. In the past few months, several Ivanti vulnerabilities have been exploited as zero-day flaws in widespread attacks, targeting the company's VPN appliances, and ICS, IPS, and ZTA gateways. Last month, Ivanti warned that threat actors were exploiting two recently patched Cloud Services Appliance (CSA) vulnerabilities to attack unpatched appliances. In response, Ivanti announced in September that it's enhancing its responsible disclosure process and testing capabilities to address security threats more promptly. Ivanti collaborates with over 7,000 organizations to provide system and IT asset management solutions to more than 40,000 companies globally.

Related News

• Critical RCE Bug in Ivanti Endpoint Manager: PoC Exploit Available

Latest News

• CosmicSting Attacks Compromise Over 4,000 Adobe Commerce and Magento Stores
• Pervasive 'perfctl' Fileless Malware Threatens Millions of Linux Servers Globally
• Critical Security Flaws Detected in Optigo Networks ONS-S8 Aggregation Switch
• Zimbra Email Servers Under Attack: Active Exploitation of Critical RCE Flaw
• CosmicSting Exploit Targets Adobe Commerce and Magento Stores, Impacting 5% of All Stores