CVE-2024-32848: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

An unspecified SQL injection vulnerability (CVE-2024-32848) was discovered in Ivanti Endpoint Manager (EPM) affecting versions before 2022 SU6 and the 2024 September update. The vulnerability was reported on June 5, 2024, and publicly disclosed on September 11, 2024. This security flaw specifically affects the updateAssetInfo method implementation in the Ivanti EPM software (NVD, ZDI).

The vulnerability stems from improper validation of user-supplied strings used in SQL query construction within the updateAssetInfo method. It has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection). HackerOne has additionally assessed it with a CVSS score of 9.1 (Critical) using the vector string CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NVD, ZDI).

If successfully exploited, this vulnerability allows an authenticated attacker with admin privileges to execute arbitrary code in the context of the service account, potentially leading to remote code execution on affected systems (ZDI).

Ivanti has released security updates to address this vulnerability. Users should update to EPM 2022 SU6 or apply the 2024 September update. It's worth noting that this vulnerability was later found to have incomplete fixes, leading to the creation of CVE-2024-13162, which required additional patches in January 2025 (NVD).