Three critical vulnerabilities in Ivanti Endpoint Manager (EPM) are currently under active exploitation in the wild, according to the Cybersecurity and Infrastructure Security Agency (CISA).
The agency on Monday added the EPM flaws to its known exploited vulnerabilities catalog. According to the catalog listings, it’s not currently known whether the vulnerabilities are being weaponized for ransomware attacks.
All three flaws — CVE-2024-13159, CVE-2024-13160 and CVE-2024-13161 — are absolute path-traversal vulnerabilities with CVSS scores of 9.8. The vulnerabilities were initially disclosed and patched by Ivanti on Jan. 13 along with a fourth absolute path-traversal flaw, CVE-2024-10811. Ivanti said in its advisory that it was not aware of any exploitation “prior to public disclosure.”
Horizon3.ai, which discovered all four CVEs, published research on Feb. 19 with the technical details of the EPM vulnerabilities as well as a proof-of-concept (PoC) exploit. Zach Hanley, chief attack engineer at Horizon3.ai, told Cybersecurity Dive at the time that his company agreed to wait 30 days after the initial disclosure before publishing the technical details so that Ivanti customers would have more time to patch the flaws.
According to Horizon3.ai’s blog post, the four vulnerabilities involved credential coercion in different functions of EPM, such as GetHashForFile and GetHashForWildcard. Hanley wrote in the blog post that exploitation allows unauthorized attackers to coerce the Ivanti EPM machine account credentials, which can be used in relay attacks and potentially lead to server compromise.
Cybersecurity Dive contacted Ivanti for comment on the reported exploitation activity.
Patch Now
Under CISA’s rules, federal civilian executive branch agencies must patch or mitigate CVE-2024-13159, CVE-2024-13160 and CVE-2024-13161 by March 31.
Attackers have increasingly targeted Ivanti products in recent years as both cybercriminals and nation-state actors have shifted their focus to network edge devices like VPNs as well as remote IT management tools. For example, in January threat actors chained several zero-day vulnerabilities in attacks on Ivanti Cloud Service Appliance customers.
