CVE-2024-29827

Name of the Vulnerable Software and Affected Versions: Ivanti EPM versions 2022 SU5 and prior

Description: The issue exists due to the lack of neutralization of special elements used in the operating system command by the GetDBPatchProducts function in Ivanti EPM. This allows an unauthenticated attacker within the same network to execute arbitrary code by injecting specially crafted SQL code. The exploitation of this issue can enable a remote attacker to execute arbitrary code.

Recommendations: For Ivanti EPM versions 2022 SU5 and prior, consider disabling the GetDBPatchProducts function as a temporary workaround until a patch is available. Restrict access to the Core server to minimize the risk of exploitation. Avoid using the function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.