CVE-2024-29824

HIGH KEV NUCLEI

Ivanti EPM RecordGoodApp SQLi RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2024-29824 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 2, 2024. EIP tracks 3 public exploits from researchers including horizon3ai, R4be1, James Horseman, Christophe De La Fuente, including a Metasploit module exploits/windows/http/ivanti_epm_recordgoodapp_sqli_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits a SQL injection vulnerability in Ivanti EPM via a crafted SOAP request, enabling blind remote command execution through `xp_cmdshell`. The exploit sends commands from a file to the target endpoint `/WSStatusEvents/EventHandler.asmx`.

Description

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

Exploits (3)

nomisec WORKING POC 26 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2024-29824

This PoC exploits a SQL injection vulnerability in Ivanti EPM via a crafted SOAP request, enabling blind remote command execution through `xp_cmdshell`. The exploit sends commands from a file to the target endpoint `/WSStatusEvents/EventHandler.asmx`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Endpoint Manager (EPM)
No auth needed
Prerequisites: Network access to the target Ivanti EPM instance · Vulnerable version of Ivanti EPM with exposed SOAP endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by R4be1 · remote
https://github.com/R4be1/CVE-2024-29824

This PoC exploits CVE-2024-29824, a SQL injection vulnerability in a SOAP endpoint, leading to remote command execution via `xp_cmdshell`. It supports both single-target and multi-target exploitation using a thread pool for efficiency.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (SOAP endpoint with WSStatusEvents/EventHandler.asmx)
No auth needed
Prerequisites: Target must have exposed SOAP endpoint · SQL Server with `xp_cmdshell` enabled or configurable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by James Horseman, Christophe De La Fuente · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ivanti_epm_recordgoodapp_sqli_rce.rb

This Metasploit module exploits an unauthenticated SQL injection vulnerability in Ivanti Endpoint Manager (EPM) 2022 SU5 and prior, leveraging `xp_cmdshell` to achieve remote code execution via a crafted SOAP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Endpoint Manager (EPM) 2022 SU5 and prior
No auth needed
Prerequisites: Network access to the target's SOAP endpoint · SQL Server with `xp_cmdshell` enabled or configurable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ivanti EPM - Remote Code Execution
CRITICALby DhiyaneshDK

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.9397
EPSS Percentile 99.9%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-10-02
VulnCheck KEV 2024-06-19
InTheWild.io 2024-10-02
ENISA EUVD EUVD-2024-26818
CWE
CWE-89
Status published
Products (2)
ivanti/endpoint_manager 2022 (6 CPE variants)
ivanti/endpoint_manager < 2022
Published May 31, 2024
KEV Added Oct 02, 2024
Tracked Since Feb 18, 2026