CVE-2024-29824 Overview
CVE-2024-29824 is a critical SQL Injection vulnerability affecting the Core server component of Ivanti Endpoint Manager (EPM) 2022 SU5 and prior versions. This vulnerability allows an unauthenticated attacker with adjacent network access to execute arbitrary code on affected systems. The flaw has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild.
Critical Impact
Unauthenticated attackers on the same network can achieve arbitrary code execution through SQL injection, potentially leading to complete system compromise of enterprise endpoint management infrastructure.
Affected Products
- Ivanti Endpoint Manager 2022 (base version)
- Ivanti Endpoint Manager 2022 SU1 through SU5
- Ivanti Endpoint Manager versions prior to 2022
Discovery Timeline
- 2024-05-31 - CVE-2024-29824 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2024-29824
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists within the Core server component of Ivanti Endpoint Manager. The attack requires the adversary to be on an adjacent network, meaning they need to be within the same network segment as the vulnerable EPM server. Once in position, an unauthenticated attacker can exploit improper input sanitization to inject malicious SQL statements that ultimately lead to arbitrary code execution on the underlying server.
The vulnerability is particularly dangerous in enterprise environments where Ivanti EPM serves as a central management platform for endpoint devices across the organization. Successful exploitation could provide attackers with elevated access to manipulate endpoint configurations, deploy malicious software, or pivot to other systems managed by the compromised EPM server.
Root Cause
The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89). The Core server fails to adequately sanitize user-supplied input before incorporating it into SQL queries, allowing attackers to manipulate database operations. This classic input validation failure enables the injection of arbitrary SQL syntax that can be leveraged for data extraction, privilege escalation, and ultimately remote code execution through database-specific attack techniques.
Attack Vector
The attack requires adjacent network access, meaning the attacker must be positioned within the same local network segment as the target Ivanti EPM Core server. From this position, the attacker can send specially crafted requests containing malicious SQL payloads without requiring any authentication. The attack has low complexity and requires no user interaction, making it highly exploitable once network positioning is achieved.
The SQL injection can be weaponized to execute arbitrary code through techniques such as leveraging SQL Server's xp_cmdshell extended stored procedure or other database-native code execution mechanisms, depending on the underlying database configuration and privileges.
Detection Methods for CVE-2024-29824
Indicators of Compromise
- Unusual SQL error messages or database exceptions in Ivanti EPM Core server logs
- Unexpected outbound network connections from the EPM server to external IP addresses
- Evidence of xp_cmdshell or similar database command execution procedures being invoked
- Anomalous database queries containing SQL injection patterns such as UNION SELECT, ; EXEC, or encoded payloads
Detection Strategies
- Implement network intrusion detection rules to identify SQL injection patterns targeting Ivanti EPM endpoints
- Monitor Ivanti EPM Core server logs for authentication anomalies and suspicious API requests
- Deploy database activity monitoring to detect unusual query patterns or stored procedure executions
- Configure SIEM alerts for indicators of SQL injection exploitation attempts against EPM infrastructure
Monitoring Recommendations
- Enable verbose logging on Ivanti EPM Core server components and centralize log collection
- Monitor network traffic between client segments and EPM servers for anomalous patterns
- Implement file integrity monitoring on EPM server systems to detect unauthorized changes
- Review database audit logs for evidence of privilege escalation or unauthorized data access
How to Mitigate CVE-2024-29824
Immediate Actions Required
- Apply the security patch from Ivanti immediately as this vulnerability is actively exploited
- Isolate Ivanti EPM Core servers on restricted network segments with strict access controls
- Audit network access to EPM infrastructure and remove unnecessary connectivity
- Review EPM server logs and database audit trails for evidence of prior exploitation
Patch Information
Ivanti has released security updates addressing this vulnerability. Organizations should refer to the Ivanti Security Advisory May 2024 for detailed patching instructions. Given the confirmed active exploitation noted in the CISA Known Exploited Vulnerabilities Catalog, immediate patching is critical. Federal agencies and organizations following CISA guidance should prioritize remediation according to established timelines.
Workarounds
- Implement network segmentation to restrict access to EPM Core servers from untrusted network segments
- Deploy web application firewall (WAF) rules to filter SQL injection patterns in requests to EPM endpoints
- Disable or restrict database extended stored procedures like xp_cmdshell where operationally feasible
- Implement strict input validation at the network perimeter using IPS signatures for known attack patterns
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
