The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a safety flaw impacting Endpoint Supervisor (EPM) that the corporate patched in Would possibly to its Recognized Exploited Vulnerabilities (KEV) catalog, according to proof of lively exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS ranking of 9.6 out of a most of 10.0, indicating vital severity.
“An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior permits an unauthenticated attacker inside of the similar community to execute arbitrary code,” the instrument provider supplier stated in an advisory launched on Would possibly 21, 2024.
Horizon3.ai, which launched a proof-of-concept (PoC) exploit for the flaw in June, stated the problem is rooted in a serve as known as RecordGoodApp() inside of a DLL named PatchBiz.dll.
Particularly, it considerations how the serve as handles an SQL question observation, thereby permitting an attacker to achieve faraway code execution by means of xp_cmdshell.
The precise specifics of ways the lack is being exploited within the wild stays unclear, however Ivanti has since up to date the bulletin to state that it has “showed exploitation of CVE-2024-29824” and {that a} “restricted selection of shoppers” were centered.
With the newest construction, as many as 4 other flaws in Ivanti home equipment have come below lively abuse inside of only a month’s span, appearing that they’re a profitable assault vector for danger actors –
- CVE-2024-8190 (CVSS ranking: 7.2) – An running device command injection vulnerability in Cloud Carrier Equipment (CSA)
- CVE-2024-8963 (CVSS ranking: 9.4) – A trail traversal vulnerability in CSA
- CVE-2024-7593 (CVSS ranking: 9.8) – An authentication bypass vulnerability Digital Visitors Supervisor (vTM)
Federal businesses are mandated to replace their cases to the newest model via October 23, 2024, to safeguard their networks towards lively threats.