Ivanti EPM CVE-2024-29824 Exploited: Technical Analysis and Patching

Overview of the Ivanti EPM Exploitation

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2024-29824 to its Known Exploited Vulnerabilities (KEV) catalog. This high-severity CVE involves an SQL injection flaw within the Core server of Ivanti Endpoint Manager (EPM). According to SecurityWeek, this flaw is now being leveraged by attackers in the wild to achieve unauthenticated RCE.

Because Ivanti EPM serves as a centralized management hub for enterprise endpoints, any compromise of the Core server grants an attacker significant control over the entire internal network. This often facilitates Lateral Movement and the deployment of Ransomware. Organizations utilizing these systems must prioritize immediate remediation, as the window for exploitation is rapidly closing.

Technical Analysis: Unauthenticated RCE in Ivanti EPM

The vulnerability exists in the way the Core server handles specific incoming web requests. Due to insufficient input validation, an attacker can inject malicious SQL commands into the backend database. While SQL injection is often associated with data exfiltration, in the context of Ivanti EPM, it can be pivoted to execute system-level commands. This results in a complete system compromise without the need for valid user credentials.

Security researchers have demonstrated that this vulnerability is particularly dangerous because the Core server typically resides in a privileged position within the network architecture. Once an attacker gains a foothold via this unauthenticated RCE, they can interact with managed endpoints, potentially harvesting credentials or pushing malicious payloads to thousands of workstations. For those investigating their environments, understanding how to detect CVE-2024-29824 exploit attempts involves reviewing IIS logs for unusual POST requests directed at EPM web services, particularly those involving legacy API endpoints.

Expansion of the CISA KEV Catalog

The addition of the Ivanti flaw was part of a broader update to the KEV catalog, which included two other significant vulnerabilities. CISA also highlighted CVE-2024-28987, a critical hardcoded credential issue in SolarWinds Web Help Desk. This flaw allows an unauthenticated attacker to access or modify sensitive help desk data.

Furthermore, CISA re-emphasized the risk of CVE-2022-31656, an authentication bypass vulnerability affecting VMware Workspace ONE Access. The inclusion of these older or recently discovered bugs underscores a trend where APT groups and cybercriminals target management software that acts as a “single point of failure” for organizational security.

Ivanti Endpoint Manager 2022 SU5 Patch Guidance

Administrators currently running older versions must follow specific Ivanti Endpoint Manager 2022 SU5 patch guidance to secure their infrastructure. The vendor has released version 2022 SU6, which contains the necessary fixes for CVE-2024-29824. If an immediate upgrade to SU6 is not feasible, administrators should verify if their current build has the specific security hotfixes applied that were released earlier this year.

Beyond patching, organizations should adopt a Zero Trust architecture to limit the exposure of the Core server. Restricting access to the EPM management console via a VPN or a secure gateway can significantly reduce the attack surface.

Recommendations for Defenders

To mitigate the risk of exploitation, the following actions are recommended:

• Immediate Patching: Update Ivanti EPM Core servers to version 2022 SU6 immediately. This is the primary defense against the active exploitation of CVE-2024-29824.
• Log Review: Inspect SIEM and EDR telemetry for any signs of unauthorized database interaction or unusual child processes spawned by the EPM web service worker process (w3wp.exe).
• Network Segmentation: Ensure the EPM Core server is not directly accessible from the public internet. Use strict firewall rules to limit communication only to known managed endpoints and administrative subnets.
• Monitor for IoCs: Watch for IoC patterns associated with common C2 frameworks that may be deployed following successful exploitation.

Federal agencies are mandated to complete these remediations by October 23, 2024; however, private sector SOC teams should treat this as a critical priority given the potential for mass-scale compromise.