SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PoC Exploit Published for Critical Ivanti EPM Vulnerabilities

Proof-of-concept (PoC) code and technical details on four critical-severity Ivanti EPM vulnerabilities are now available.
Ivanti vulnerability exploited

Horizon3.ai has released technical details on four critical-severity vulnerabilities in Ivanti Endpoint Manager (EPM), along with proof-of-concept (PoC) code targeting them.

The security defects, tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8) and described as absolute path traversal issues, were patched in mid-January in EPM versions 2024 and 2022 SU6.

Ivanti warned at the time that the flaws could be exploited to leak sensitive information, but provided no additional details on them.

On Wednesday, Horizon3.ai revealed that the four bugs could be exploited by an unauthenticated attacker to “coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise”.

According to the cybersecurity company, the vulnerabilities reside in functions that accept user input when reading files from a specific path and calculating hashes for them.

Because user input is not validated, an attacker could coerce the EPM server to connect to a remote UNC path, Horizon3.ai says.

The security firm notes that the four vulnerabilities can be exploited to relay credentials to LDAP and add a machine account. An attacker can then add delegation rights to the new account, impersonate a domain administrator for the CIFS service, and then validate the permissions.

“Compromising the Endpoint Manager server itself would lead to the ability to compromise all of the EPM clients, making this avenue especially impactful,” Horizon3.ai notes.

Advertisement. Scroll to continue reading.

The vulnerabilities were reported in October 2024. Ivanti’s January 2025 security update for EPM 2024 and 2022 SU6 addresses all four.

Because the initial update caused issues with Windows Action, Ivanti released a second version of the update. Organizations are advised to install the second version regardless of whether they installed the initial patch or not.

Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities

Related: Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Related: Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation

Related: Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks
March 12, 2025

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cybersecurity firm Absolute Security announced Harold Rivas as its new CISO.

Simon Forster has been named the new General Manager of DNS security firm Quad9.

Cybersecurity training company Immersive has named Mark Schmitz as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.