The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning regarding a known, exploited vulnerability. This vulnerability is an Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2024-29824) and has been added to CISA’s Known Exploited Vulnerabilities Catalog.

Security leaders weigh in

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

“The Ivanti EPM vulnerability is currently being actively exploited and poses a significant threat that requires immediate attention. This is because it allows unauthenticated attackers to execute arbitrary code on unpatched systems, potentially giving them extensive control over affected devices and access to sensitive data. Many organizations could be vulnerable due to the widespread use of Ivanti EPM, especially in enterprise environments.

“Exploiting this flaw could have serious consequences, such as data breaches, disruption of business operations, and further compromise of internal systems. Organizations using Ivanti EPM should prioritize patching their systems immediately and conduct thorough security assessments to detect and mitigate potential compromise. This situation emphasizes the critical importance of proactive vulnerability management and timely patching to protect against evolving threats. In an increasingly interconnected world, securing every IT asset, such as endpoints, applications, and APIs, is paramount to maintaining a strong security posture.”

Jason Soroko, Senior Fellow at Sectigo:

“The CVE-2024-29824 vulnerability in Ivanti Endpoint Manager (EPM) allows remote code execution via SQL Injection, posing serious risk in enterprise environments. Attackers on the same network can fully compromise unpatched EPM systems, leading to broader control. Although Ivanti patched this in May, a proof-of-concept exploit is public, and active exploitation is confirmed. Organizations must patch immediately, as failure to do so leaves systems vulnerable to arbitrary command execution and network-wide compromise. The risk is heightened by published attack methods and ongoing exploitation.”

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit:

“CVE-2024-29824 is an unauthenticated SQL injection vulnerability, which affects vulnerable Ivanti Endpoint Manager (EPM) appliances. Proof-of-concept code that exploits this vulnerability has been available since early June. Given all these facts, this definitely is a dangerous flaw.

“Multiple versions of proof-of-concept code available make use of different variations of the xp_cmdshell feature in SQL Servers. This primarily allows the attacker to execute arbitrary Windows commands. This means the attacker will be able to download and run scripts that can lead to the installation of malware, or even manipulate files on the endpoint. This functionality can also allow the attacker to exfiltrate data or laterally move to other systems in the network — effectively leading to a complete system compromise. This feature should be disabled on production systems that are externally exposed.”