The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a security flaw impacting Endpoint Supervisor (EPM) that the corporate patched in Could to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS rating of 9.6 out of a most of 10.0, indicating essential severity.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior permits an unauthenticated attacker inside the similar community to execute arbitrary code,” the software program service supplier stated in an advisory launched on Could 21, 2024.
Horizon3.ai, which launched a proof-of-concept (PoC) exploit for the flaw in June, stated the problem is rooted in a perform known as RecordGoodApp() inside a DLL named PatchBiz.dll.
Particularly, it considerations how the perform handles an SQL question assertion, thereby permitting an attacker to realize distant code execution by way of xp_cmdshell.
The precise specifics of how the shortcoming is being exploited within the wild stays unclear, however Ivanti has since up to date the bulletin to state that it has “confirmed exploitation of CVE-2024-29824” and {that a} “restricted variety of clients” have been focused.
With the newest growth, as many as 4 totally different flaws in Ivanti home equipment have come below lively abuse inside only a month’s span, exhibiting that they’re a profitable assault vector for risk actors –
- CVE-2024-8190 (CVSS rating: 7.2) – An working system command injection vulnerability in Cloud Service Equipment (CSA)
- CVE-2024-8963 (CVSS rating: 9.4) – A path traversal vulnerability in CSA
- CVE-2024-7593 (CVSS rating: 9.8) – An authentication bypass vulnerability Digital Site visitors Supervisor (vTM)
Federal companies are mandated to replace their cases to the newest model by October 23, 2024, to safeguard their networks in opposition to lively threats.
