The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw affecting the Endpoint Manager (EPM), which the company patched in May for its known exploits (KEV) catalog based on evidence of active operation.
Vulnerability, tracked as CVE-2024-29824has a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity.
“Unspecified SQL Injection vulnerability in Ivanti EPM Core Server 2022 SU5 and earlier versions allows unauthenticated attackers on the same network to execute arbitrary code,” the software services provider said. said in a recommendation published on May 21, 2024.
Horizon3.ai which released A proof-of-concept (PoC) exploit for the flaw in June said the problem is rooted in the RecordGoodApp() function in a DLL called PatchBiz.dll.
Specifically, this concerns the way the feature handles the SQL query statement, allowing an attacker to obtain remote code execution via xp_cmdshell.
The exact specifics of how the flaw is being exploited in the wild remain unclear, but Ivanti has since updated the bulletin to state that it has “confirmed the use of CVE-2024-29824” and that a “limited number of customers” were targeted.
Thanks to the latest developments, as many as four different vulnerabilities in Ivanti appliances were actively exploited throughout the month, showing them to be a lucrative attack vector for threat actors –
- CVE-2024-8190 (CVSS Score: 7.2) – Cloud Service Appliance (CSA) operating system command injection vulnerability
- CVE-2024-8963 (CVSS Score: 9.4) – Path traversal vulnerability in CSA
- CVE-2024-7593 (CVSS Score: 9.8) – Virtual Traffic Manager (vTM) authentication bypass vulnerability
Federal agencies are mandated to update their instances to the latest version by October 23, 2024 to protect their networks from active threats.
