1
2name: crowdsecurity/vpatch-CVE-2024-29824
3description: "Ivanti EPM - SQLi (CVE-2024-29824)"
4rules:
5  - and:
6    - zones:
7      - METHOD
8      match:
9        type: equals
10        value: POST
11    - zones:
12      - URI
13      transform:
14      - lowercase
15      match:
16        type: endsWith
17        value: /wsstatusevents/eventhandler.asmx
18    - zones:
19      - RAW_BODY
20      match:
21        type: contains
22        value: "xp_cmdshell"
23labels:
24  type: exploit
25  service: http
26  confidence: 3
27  spoofable: 0
28  behavior: "http:exploit"
29  label: "Ivanti EPM - SQL Injection"
30  classification:
31   - cve.CVE-2024-29824
32   - attack.T1595
33   - attack.T1190
34   - cwe.CWE-89