How to Fix CVE-2024-29824: Ivanti EPM SQL Injection
*By Sai Kiran Pandrala*
| Severity | CVSS 9.6, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV. Horizon3.ai published a full PoC. |
| Affected | Ivanti Endpoint Manager (EPM) 2022 SU5 and earlier |
| Fixed in | EPM 2022 SU6 (or later) per the Ivanti EPM 2022 SU5 May 2024 Security Advisory |
| Type (CWE) | CWE-89: SQL Injection |
⚠️ Patch immediately. Public PoC means automated scanning is happening. EPM core compromise gives the attacker access to every managed endpoint in the fleet.
What is CVE-2024-29824?
An SQL injection vulnerability in the Core server of Ivanti EPM 2022 SU5 and earlier lets an unauthenticated remote attacker inject SQL commands via crafted requests. Successful exploitation leads to arbitrary command execution within the Core server context, which, on a typical EPM deployment, has access to push scripts and packages to every managed endpoint.
Am I affected?
You are affected if you run Ivanti Endpoint Manager 2022 SU5 or earlier. Check the EPM Console → About for the running build.
How to fix CVE-2024-29824
- Open the Ivanti EPM 2022 SU5 Security Advisory linked below.
- Download EPM 2022 SU6 (or later) from the Ivanti support portal.
- Back up the EPM database.
- Apply the update via the EPM console → Tools → Maintenance → Patch Manager, or via the manual SU package installer.
- Restart EPM core server services. Verify version on the About page.
Upgrade the Ivanti / pulse secure appliance
# Web admin: System -> Upgrade/Downgrade -> stage the patched image
# referenced in the advisory: https://forums.ivanti.com/s/article/Security-Advisory-May-2024
# CLI verification after reboot
show version
show system status
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://forums.ivanti.com/s/article/Security-Advisory-May-2024
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2024-29824 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
Restrict EPM core server admin access to a small administrative network at the firewall. The agent communication ports can remain open; the management API/portal access should be locked down.
How to verify the fix worked
EPM Console → About shows EPM 2022 SU6 or later. Run an authenticated vulnerability scan against the EPM core server.
Frequently asked questions
Is CVE-2024-29824 actively exploited?
Yes. CVE-2024-29824 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2024-29824?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://forums.ivanti.com/s/article/Security-Advisory-EPM-2022-SU5-and-Prior-Multiple-CVEs
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Ivanti EPM 2022 SU5 Security Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-2022-SU5-and-Prior-Multiple-CVEs
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29824
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Related: CVE-2024-13161 (Ivanti EPM January 2025 path traversal bundle)
*This guide was assembled from the Ivanti EPM 2022 SU5 Security Advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Ivanti's advisory before applying changes in production.*