Horizon3.ai has released technical details on four critical-severity vulnerabilities in Ivanti Endpoint Manager (EPM), along with proof-of-concept (PoC) code targeting them.
The security defects, tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8) and described as absolute path traversal issues, were patched in mid-January in EPM versions 2024 and 2022 SU6.
Ivanti warned at the time that the flaws could be exploited to leak sensitive information, but provided no additional details on them.
On Wednesday, Horizon3.ai revealed that the four bugs could be exploited by an unauthenticated attacker to “coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise”.
According to the cybersecurity company, the vulnerabilities reside in functions that accept user input when reading files from a specific path and calculating hashes for them.
Because user input is not validated, an attacker could coerce the EPM server to connect to a remote UNC path, Horizon3.ai says.
The security firm notes that the four vulnerabilities can be exploited to relay credentials to LDAP and add a machine account. An attacker can then add delegation rights to the new account, impersonate a domain administrator for the CIFS service, and then validate the permissions.
“Compromising the Endpoint Manager server itself would lead to the ability to compromise all of the EPM clients, making this avenue especially impactful,” Horizon3.ai notes.
The vulnerabilities were reported in October 2024. Ivanti’s January 2025 security update for EPM 2024 and 2022 SU6 addresses all four.
Because the initial update caused issues with Windows Action, Ivanti released a second version of the update. Organizations are advised to install the second version regardless of whether they installed the initial patch or not.
Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities
Related: Ivanti Patches Critical Vulnerabilities in Endpoint Manager
Related: Many Ivanti VPNs Still Unpatched as UK Domain Registry Emerges as Victim of Exploitation
Related: Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies
