Ivanti Endpoint Manager ‘Critical’ Flaw Has Seen Exploitation

CISA urges organizations to address the remote code execution vulnerability affecting Ivanti EPM.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Wednesday urged organizations to prioritize patching for a previously disclosed, critical-severity vulnerability affecting Ivanti Endpoint Manager, which has now seen exploitation in attacks.

The remote code execution (RCE) flaw in the product, also known as Ivanti EPM, was discovered in the spring and patched in May. However, the vulnerability (tracked at CVE-2024-29824) has now been confirmed to have been exploited by threat actors, according to CISA and Ivanti.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

In an advisory Wednesday, CISA said it has added the Ivanti Endpoint Manager bug to its catalog of exploited vulnerabilities based on “evidence of active exploitation.”

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said, adding that CISA also “strongly urges” non-federal organizations to prioritize remediation of flaws in the Known Exploited Vulnerabilities Catalog.

In an update to its own advisory about the vulnerability Tuesday, Ivanti said it “has confirmed exploitation of CVE-2024-29824 in the wild.”

“At the time of this update, we are aware of a limited number of customers who have been exploited,” the vendor said.

In a statement provided to CRN Wednesday, Ivanti said the Endpoint Manager vulnerability was “previously identified and patched” on May 21 and that “at the time of disclosure, there was no indication that any customers had been exploited as a result of this vulnerability.”

“However, we have now confirmed limited exploitation,” the company said. “We strongly urge customers to ensure they are on the latest version which is available through our standard download portal.”

The SQL injection RCE vulnerability in Ivanti Endpoint Manager is considered “critical” with a severity score of 9.6 out of 10.0.

Researchers at Trend Micro’s Zero Day Initiative, which discovered the vulnerability and reported it to Ivanti in April, disclosed previously that the issue can enable remote execution of code without authentication. “An attacker can leverage this vulnerability to execute code in the context of the service account,” the researchers wrote.