PoC exploit released for vulnerabilities in Ivanti Endpoint Manager

Home/BOTNET, Exploitation, Internet Security, Security Advisory, Security Update, vulnerability/PoC exploit released for vulnerabilities in Ivanti Endpoint Manager

PoC exploit released for vulnerabilities in Ivanti Endpoint Manager

Researchers found four critical Ivanti EPM vulnerabilities allowing unauthenticated attackers to exploit machine credentials for relay attacks. Patched in January 2025 after discovery in October 2024.

All about the Ivanti EPM vulnerability

The vulnerabilities, including CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, originate from improper input validation in the VulCore class of WSVulnerabilityCore.

Attackers can exploit functions like GetHashForWildcardRecursive() by manipulating wildcard parameters to construct remote UNC paths, forcing the EPM server to read files from arbitrary directories. This could expose sensitive data or enable further attacks.

Similarly, GetHashForWildcard() and GetHashForSingleFile() lack proper authentication checks, allowing unauthenticated users to access remote UNC locations.

These flaws could be leveraged for credential theft, relay attacks, or lateral movement within a compromised network. The severity of these issues underscores the importance of applying security patches promptly to mitigate potential threats.

Exploit Chain Leads to Domain Takeover

The PoC exploit shows how attackers can chain vulnerabilities to gain full domain control:

  • Credential Theft: Attackers trick the Ivanti EPM server into authenticating to a malicious SMB share, capturing NTLMv2 credentials.
  • LDAP Relay Attack: Stolen credentials are relayed to a domain controller, allowing unauthorized machine account creation with elevated privileges.
  • Privilege Escalation: Attackers forge Kerberos tickets to impersonate domain admins, gaining access to critical network services and enabling further exploitation.

Rapid Domain Compromise Through Ivanti EPM Exploit

Researchers demonstrated how attackers could take over an entire domain within minutes by exploiting Ivanti EPM vulnerabilities. A single compromised server could grant control over all managed endpoints.

Horizon3.ai released a PoC exploit showcasing attack vectors like NTLM relay attacks, enabling machine account creation and privilege escalation via LDAP. Tools like ntlmrelayx facilitate these exploits.

Ivanti was notified on October 15, 2024, verified the flaws, and issued a patch on January 13, 2025. Public disclosure followed on February 19, 2025.

Organizations using Ivanti EPM should apply patches immediately and strengthen security configurations to prevent exploitation. This case underscores the critical need for strong authentication and input validation.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 55
By | 2025-02-21T03:09:09+05:30 February 20th, 2025|BOTNET, Exploitation, Internet Security, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!