The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a safety flaw impacting Endpoint Supervisor (EPM) that the corporate patched in Might to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of energetic exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS rating of 9.6 out of a most of 10.0, indicating essential severity.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code,” the software program service supplier stated in an advisory launched on Might 21, 2024.
Horizon3.ai, which launched a proof-of-concept (PoC) exploit for the flaw in June, stated the difficulty is rooted in a perform known as RecordGoodApp() inside a DLL named PatchBiz.dll.
Particularly, it considerations how the perform handles an SQL question assertion, thereby permitting an attacker to achieve distant code execution by way of xp_cmdshell.
The precise specifics of how the shortcoming is being exploited within the wild stays unclear, however Ivanti has since up to date the bulletin to state that it has “confirmed exploitation of CVE-2024-29824” and {that a} “limited number of customers” have been focused.
With the newest growth, as many as 4 totally different flaws in Ivanti home equipment have come beneath energetic abuse inside only a month’s span, exhibiting that they’re a profitable assault vector for menace actors –
- CVE-2024-8190 (CVSS rating: 7.2) – An working system command injection vulnerability in Cloud Service Equipment (CSA)
- CVE-2024-8963 (CVSS rating: 9.4) – A path traversal vulnerability in CSA
- CVE-2024-7593 (CVSS rating: 9.8) – An authentication bypass vulnerability Digital Site visitors Supervisor (vTM)
Federal businesses are mandated to replace their cases to the newest model by October 23, 2024, to safeguard their networks towards energetic threats.
