The US Cybersecurity and Infrastructure Security Agency (CISA) has added a known Ivanti bug to its Known Exploited Vulnerabilities (KEV) catalog, indicating it is being actively exploited in the wild.
The newly added bug is a SQL Injection vulnerability, which was found this spring in the Core server of Ivanti Endpoint Manager (EPM) 2022 SU5 and older. It allows an unauthenticated attacker within the same network to execute arbitrary code. It is tracked as CVE-2024-29824 and has a severity score of 9.6 (critical).
Federal agencies now have three weeks to apply the patch or stop using the product altogether — and private sector organizations should take that into account, too.
Renewed commitment to safety
Ivanti Endpoint Manager (EPM) is a software solution designed for IT asset management and provides tools to manage, secure, and troubleshoot endpoints such as desktops, laptops, and mobile devices in an organization. It helps automate patching, software distribution and inventory management, and supports Windows, macOS, Chrome OS and various IoT operating systems.
The company says it patched the vulnerability in May 2024, along with five other RCE flaws. The company also recently confirmed sightings of attacks in the wild: “At the time of this update, we are aware of a limited number of customers who have been exploited,” the company concluded.
Ivanti is a major technology provider in the B2B sector, with more than 40,000 customers worldwide and customers across industries including government, healthcare, education, financial services and more. These organizations use Ivanti’s solutions for IT management, security and asset management and as such are a prime target for cybercriminals.
In recent years, Ivanti has been at the center of much controversy as many of its products were found to have serious defects. In response, Ivanti CEO Jeff Abbott sent an open letter to customers and partners in April 2024, promising a renewed commitment to safety.
Via BleepingComputer