A cluster of four critical vulnerabilities in Ivanti Endpoint Manager (EPM) has entered a dangerous new phase with the public release of proof-of-concept (PoC) exploit code, escalating risks for organizations using the enterprise device management platform.
Discovered by researchers in October 2024 and patched by Ivanti in January 2025, these vulnerabilities (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159) enable unauthenticated attackers to manipulate EPM servers into exposing machine account credentials for relay attacks technique that could grant domain-wide administrative control.
Architectural Flaws in Core Vulnerability Management Functions
The vulnerabilities reside in the WSVulnerabilityCore.dll component of Ivanti EPM’s .NET framework, specifically within API endpoints designed for file hash calculations.
Analysis reveals that the VulCore class methods—including GetHashForWildcardRecursive(), GetHashForWildcard(), GetHashForSingleFile(), and GetHashForFile()—fail to validate user-supplied paths, enabling UNC path injection.
This allows attackers to force the EPM server to authenticate to a malicious SMB share using its machine account credentials, which typically possess elevated domain privileges.
The technical root cause stems from improper handling of the wildcard and strFileName parameters in these functions. When processing a crafted path, the EPM server automatically attempts to enumerate files, transmitting NTLMv2 credentials in the process.
Researchers explains “These vulnerabilities turn a routine file-hashing operation into a credential leakage mechanism. The machine account’s domain privileges make this particularly dangerous compromise one EPM server, and you potentially compromise every managed endpoint”.
Exploit Chain Enables Domain Takeover
The released PoC demonstrates how attackers can chain these vulnerabilities with standard penetration testing tools:
- Credential Harvesting: Using network interception tools, attackers capture the EPM server’s NTLMv2 hashes during forced authentication attempts.
- LDAP Relay Attacks: The harvested credentials get relayed to domain controllers to create unauthorized machine accounts with delegation rights.
- Privilege Escalation: Attackers forge Kerberos tickets using toolkit utilities, impersonating domain administrators to access critical services like CIFS.
Documentation includes a demonstration where researchers achieved full domain compromise within 15 minutes of initial access. This attack path mirrors techniques used in recent campaigns by advanced persistent threat groups.
The initial patches caused compatibility issues with Windows Action components, requiring a revised update released on January 17. Organizations that applied the first patch must reapply the updated version a detail some IT teams might overlook.
Compounding these challenges, Ivanti’s recent security history has strained customer trust. The vulnerabilities follow a turbulent 2024 where multiple zero-days in Ivanti VPN appliances were exploited by state-linked actors.
Industry analysts note: “Each new Ivanti vulnerability now gets scrutinized through the lens of previous breaches, creating a ‘patch fatigue’ effect that delays critical updates”.
Mitigation Strategies for Enterprise Teams
- Immediate Patching: Deploy Ivanti’s January 2025 updates across all management servers.
- Network Segmentation: Restrict EPM servers from initiating outbound SMB/LDAP connections to untrusted networks.
- Credential Hardening: Implement Extended Protection for Authentication (EPA) on domain controllers to block NTLM relay attacks.
- Monitoring: Hunt for abnormal LDAP machine account creation events and unexpected EPM server SMB traffic.
Security platforms have released detection signatures to identify unpatched systems. Ivanti recommends using their integrity verification tools to validate patch completeness.
These vulnerabilities underscore systemic risks in enterprise management systems that combine high privileges with internet-exposed interfaces.
Analysts observe: “EPM’s required access to domain controllers and endpoints makes it a perfect escalation point. Vendors must adopt zero-trust principles in product design assuming every API call could be malicious”.
The incident also reignites debates about vulnerability disclosure timelines. Researchers waited 30 days post-patch before publishing technical details a balance between responsible disclosure and operational urgency. However, with exploit code now public, unpatched systems face imminent threats.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here