CVE-2024-29824

What is Ivanti Endpoint Manager (EPM)?

Ivanti Endpoint Manager (EPM) is an enterprise IT asset management and endpoint control platform used by organizations to centrally discover, inventory, deploy software to, and manage the lifecycle of Windows, macOS, Linux, and mobile devices across their network. It is distinct from Ivanti EPMM (Endpoint Manager Mobile) — EPM focuses on traditional endpoints rather than mobile fleet management.

Key functions include:

• Asset discovery and inventory — automatically discover and catalog all devices on the network, including hardware specifications, installed software, and patch status
• Software distribution — centrally deploy, update, and remove applications across thousands of endpoints simultaneously
• Patch management — identify missing patches and orchestrate patch deployment across the managed device fleet
• OS deployment — provision bare-metal and virtual machines with operating system images at scale
• Remote control and troubleshooting — allow IT administrators to remotely connect to and manage endpoints
• Credential management — store and use privileged credentials (domain admin accounts, service accounts) required to authenticate to and manage remote endpoints

Because EPM is deeply integrated into the network and holds a privileged position over every managed endpoint, it is a high-value target for attackers seeking to move laterally or establish persistent access across an enterprise.

Overview

CVE-2024-29824 is an unauthenticated SQL injection vulnerability in the Core server component of Ivanti Endpoint Manager that allows an attacker on the same network segment to execute arbitrary operating system commands, achieving full remote code execution (RCE) under the EPM service account context.

The vulnerability was patched by Ivanti in May 2024, with a public proof-of-concept exploit released by Horizon3.ai in June 2024. By October 2024, Ivanti confirmed exploitation in the wild against a limited number of customers, prompting CISA to add it to the Known Exploited Vulnerabilities catalog and mandate patching for federal agencies by October 23, 2024.

Affected Versions

Fix: Upgrade to Ivanti EPM 2022 SU6 or EPM 2024 SU1. The patch replaces five DLL files on the Core server; after applying the patch, either restart the Core server or close the EPM console and run IISRESET.

Technical Details

CVE-2024-29824 is a CWE-89 (SQL Injection) vulnerability located in PatchBiz.dll on the Ivanti EPM Core server. The vulnerable function is RecordGoodApp, which accepts user-supplied input and constructs SQL queries without proper validation or parameterization.

Attack chain:

1. An unauthenticated attacker on the same network segment sends a crafted request to the EPM Core server's web service, invoking the RecordGoodApp method with a malicious SQL payload embedded in the input parameter.
2. Because the input is not sanitized, the payload is interpreted by the underlying Microsoft SQL Server instance as executable SQL.
3. The attacker uses SQL Server's xp_cmdshell stored procedure (or another SQL-based execution mechanism) to run arbitrary operating system commands under the EPM service account context.
4. The result is full code execution on the EPM Core server without any credentials.

Attack characteristics:

• Attacker must be on the same network as the EPM Core server (CVSS Attack Vector: Adjacent) — the EPM management interface is typically not internet-facing
• No credentials or prior authentication required
• No user interaction required
• A single crafted request is sufficient to achieve code execution
• Execution context is the EPM service account, which typically holds elevated privileges on the host and across managed endpoints

CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): The application constructs SQL queries using user-supplied data without escaping or parameterizing the input, allowing an attacker to alter the intended query structure and inject arbitrary SQL commands.

Discovery

CVE-2024-29824 was reported to Ivanti by an anonymous researcher through Trend Micro's Zero Day Initiative (ZDI) program. ZDI coordinated the disclosure, with Ivanti releasing the patch on May 24, 2024. Horizon3.ai independently analyzed the vulnerability and published a detailed technical deep dive alongside a working proof-of-concept exploit on GitHub in June 2024.

Exploitation Context

Ivanti confirmed in early October 2024 that a limited number of customers had been exploited in the wild, coinciding with CISA adding the vulnerability to the KEV catalog on October 2, 2024. This occurred approximately four months after the patch was available and three months after Horizon3.ai published the public PoC — a gap that suggests organizations were slow to apply the update.

The attack vector (Adjacent network) limits opportunistic internet-wide scanning, but the vulnerability is well-suited for targeted attacks where an attacker has already achieved an initial foothold on a network segment that can reach the EPM management interface. EPM Core servers are typically positioned on internal corporate networks alongside IT management infrastructure, making this relevant in post-initial-access scenarios.

The availability of a public proof-of-concept on GitHub lowered the barrier to exploitation significantly. SQL injection leading to xp_cmdshell execution is a well-understood attack pattern, and the PoC demonstrated blind command execution against vulnerable EPM appliances.

Remediation

1. Upgrade to EPM 2022 SU6 or EPM 2024 SU1 — apply the patch immediately; after patching, restart the Core server or run IISRESET as instructed
2. Isolate the EPM Core server — ensure the EPM management interface is not reachable from untrusted network segments; restrict access to authorized IT management hosts and subnets only using firewall rules
3. Review SQL Server logs — examine Microsoft SQL Server logs for evidence of xp_cmdshell calls or other anomalous stored procedure executions that may indicate prior exploitation
4. Review EPM web server access logs — look for unusual or malformed requests to the EPM Core server web service from unexpected source IP addresses
5. Audit the EPM service account — review Active Directory and local system logs for unauthorized activity performed under the EPM service account
6. Hunt for post-exploitation indicators — if exploitation is suspected, review the host for new scheduled tasks, services, user accounts, or persistence mechanisms created around the exploitation window
7. Discontinue use if patching to EPM 2022 SU6 or 2024 SU1 is not achievable — an unpatched EPM Core server reachable from any network segment with a known public exploit represents an unacceptable risk