CVE-2024-29827: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

An unspecified SQL Injection vulnerability has been identified in the Core server of Ivanti Endpoint Manager (EPM) 2022 SU5 and prior versions. The vulnerability allows an unauthenticated attacker within the same network to execute arbitrary code (NVD, CVE).

The vulnerability specifically exists within the implementation of the GetDBPatchProducts method. The issue stems from the lack of proper validation of user-supplied strings before they are used to construct SQL queries. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H by NIST, while HackerOne assessed it with a CVSS score of 9.6 (CRITICAL) (ZDI, NVD).

The vulnerability allows attackers to execute arbitrary code in the context of the service account. Given the high severity ratings and the potential for code execution, successful exploitation could lead to complete system compromise with high impacts on confidentiality, integrity, and availability (ZDI).

Ivanti has issued an update to correct this vulnerability. Organizations using affected versions of Ivanti EPM 2022 SU5 and prior versions should apply the security update as soon as possible (ZDI).