Summary:
In May 2024, Ivanti released patches to address a SQL injection vulnerability in its Endpoint Manager. Tracked as CVE-2024-29824, the flaw impacts the Core server of Ivanti EPM 2022 SU5 and prior, and can be exploited by an unauthenticated attacker within the same network to execute arbitrary code. In its initial advisory, Ivanti did not have evidence to suggest that the flaw was exploited in attacks in the wild. However, the vendor recently updated the advisory stating that it is aware of in-the-wild exploitation. According to Ivanti, CVE-2024-29824 has been used against “a limited number of customers.” Details of these attacks have not been disclosed at this time. CISA recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising organizations to apply patches by October 23.

Security Officer Comments:
The development comes after cybersecurity firm Horizon3.ai published technical details for CVE-2024-29824, as well as a proof-of-concept exploit. Threat actors are likely leveraging this POC to exploit Ivanti appliances vulnerable to CVE-2024-29824. Although the details of the latest exploitation attempts are scarce, Ivanti appliances have become popular targets for actors, with notable organizations like MITRE and even CISA being targeted earlier this year.

Suggested Corrections:
Threat actors are actively identifying and exploiting vulnerabilities in edge devices to breach victims across the globe, highlighting the need for organizations to keep system systems and software up to date and implement robust security access controls including multi-factor authentication, least privilege, and network segmentation to limit the potential impact of cyberattacks

Link(s):
https://www.securityweek.com/ivanti-epm-vulnerability-exploited-in-the-wild/