The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a safety flaw impacting Endpoint Supervisor (EPM) that the corporate patched in Could to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS rating of 9.6 out of a most of 10.0, indicating vital severity.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior permits an unauthenticated attacker throughout the identical community to execute arbitrary code,” the software program service supplier mentioned in an advisory launched on Could 21, 2024.
Horizon3.ai, which launched a proof-of-concept (PoC) exploit for the flaw in June, mentioned the difficulty is rooted in a operate referred to as RecordGoodApp() inside a DLL named PatchBiz.dll.
Particularly, it issues how the operate handles an SQL question assertion, thereby permitting an attacker to realize distant code execution by way of xp_cmdshell.
The precise specifics of how the shortcoming is being exploited within the wild stays unclear, however Ivanti has since up to date the bulletin to state that it has “confirmed exploitation of CVE-2024-29824” and {that a} “restricted variety of prospects” have been focused.
With the most recent growth, as many as 4 completely different flaws in Ivanti home equipment have come underneath lively abuse inside only a month’s span, displaying that they’re a profitable assault vector for menace actors –
- CVE-2024-8190 (CVSS rating: 7.2) – An working system command injection vulnerability in Cloud Service Equipment (CSA)
- CVE-2024-8963 (CVSS rating: 9.4) – A path traversal vulnerability in CSA
- CVE-2024-7593 (CVSS rating: 9.8) – An authentication bypass vulnerability Digital Site visitors Supervisor (vTM)
Federal businesses are mandated to replace their cases to the most recent model by October 23, 2024, to safeguard their networks towards lively threats.
