The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code,” the software service provider said in an advisory released on May 21, 2024.
Horizon3.ai, which released a proof-of-concept (PoC) exploit for the flaw in June, said the issue is rooted in a function called RecordGoodApp() within a DLL named PatchBiz.dll.
Specifically, it concerns how the function handles an SQL query statement, thereby allowing an attacker to gain remote code execution via xp_cmdshell.
The exact specifics of how the shortcoming is being exploited in the wild remains unclear, but Ivanti has since updated the bulletin to state that it has “confirmed exploitation of CVE-2024-29824” and that a “limited number of customers” have been targeted.
With the latest development, as many as four different flaws in Ivanti appliances have come under active abuse within just a month’s span, showing that they are a lucrative attack vector for threat actors –
- CVE-2024-8190 (CVSS score: 7.2) – An operating system command injection vulnerability in Cloud Service Appliance (CSA)
- CVE-2024-8963 (CVSS score: 9.4) – A path traversal vulnerability in CSA
- CVE-2024-7593 (CVSS score: 9.8) – An authentication bypass vulnerability Virtual Traffic Manager (vTM)
Federal agencies are mandated to update their instances to the latest version by October 23, 2024, to safeguard their networks against active threats.