Ivanti Endpoint Manager: Exploit for critical vulnerability discovered

At the end of May, some critical vulnerabilities in Ivanti's Endpoint Manager (EPM) became known. IT security researchers have since published a proof-of-concept exploit for one of them. In addition, the previously available hotfix was faulty, so Ivanti has now released a bug-fixed version.

In Ivanti's Endpoint Manager device management software, attackers were able to abuse six vulnerabilities classified as critical as a gateway into the network. The IT researchers at horizon3.ai have investigated one of the SQL injection vulnerabilities, CVE-2024-29824, which allows attackers to inject malicious code remotely. They have created a script that automates and demonstrates the abuse of the vulnerability, a so-called proof-of-concept (PoC) exploit.

Update Ivanti EPM now at the latest!

Cybercriminals are often quick to include such PoCs in their toolboxes. Attacks by exploiting the vulnerability are therefore now very likely. IT managers should therefore download and apply the hotfix provided by Ivanti according to the instructions. Those who have already done so may have to install it again: The first hotfix had a bug and interfered with the collection of data.

In the updated vulnerability announcement from Ivanti, the developers write: "An issue with the PatchBiz.dll from this patch has been identified. The advisory interferes with the 'Gather Historical Data' function". The download link was updated on Wednesday last week and points to a new file.

The ZIP archive contains updated DLLs, which admins must use to replace the existing and faulty versions. Afterwards, a server restart or, if this is not possible, an "IISRESET" after closing the EPM console is necessary, as otherwise the corrected DLLs will not be loaded.

The hotfix is only intended for EPM 2022 SU5. Ivanti intends to close the CVEs correctly with a future version of the Endpoint Manager.

(dmk)