Horizon3.ai researchers have recently released a proof-of-concept (PoC) exploit for four critical Ivanti Endpoint Manager vulnerabilities. These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, have the potential to be exploited by remote, unauthenticated attackers. By leveraging Ivanti EPM machine account credentials for relay attacks, attackers could ultimately compromise the Ivanti EPM server.
Zach Hanley, a researcher at Horizon3.ai, emphasized the impact of compromising the Endpoint Manager server. Such a breach could provide attackers with the ability to compromise all EPM clients, making it an especially impactful avenue for cyber attacks. However, Hanley also noted that the extent of the exploitation’s impact would vary depending on the specific targeted environment.
The vulnerabilities, which include path traversal flaws that could lead to the disclosure of sensitive information, were disclosed to Ivanti by Hanley in October 2024. In response, Ivanti issued fixes for these critical vulnerabilities along with several others of lesser severity in January 2025. Customers were strongly advised to implement the provided hot patches to safeguard their systems against potential exploits.
Although Ivanti confirmed that none of the vulnerabilities were actively being exploited at the time, the recent release of the PoC exploit and technical write-up could provide malicious actors with the necessary information and knowledge to craft and execute their own exploits. Previous instances have shown that vulnerable Ivanti Endpoint Manager appliances have been targeted by attackers, as well as other Ivanti enterprise solutions.
To mitigate the risk of falling victim to these vulnerabilities, it is crucial for users to upgrade to the fixed versions of Ivanti Endpoint Manager. Specifically, the EPM 2024 January-2025 Security Update or EPM 2022 SU6 January-2025 Security Update should be implemented. Even those who have previously applied an initial hotfix are advised to update once again, as the initial patch may have disabled a specific function of the software.
In summary, the release of the PoC exploit for the Ivanti Endpoint Manager vulnerabilities serves as a reminder of the constant threat posed by cyber attacks. Proactive measures, such as promptly applying security patches and updates, are essential to safeguarding systems against potential exploits and maintaining a secure digital environment.