A recent investigation into Ivanti Endpoint Manager (EPM) has uncovered four critical vulnerabilities that could allow unauthenticated attackers to exploit machine account credentials for relay attacks, potentially leading to server compromise.
These vulnerabilities, identified in the C:Program FilesLANDeskManagementSuiteWSVulnerabilityCore.dll, were patched in January 2025 following their discovery in October 2024.
The vulnerabilities are categorized as follows: CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159.
The vulnerabilities stem from the improper validation of user input in several methods within the VulCore class of the WSVulnerabilityCore namespace.
For instance, the GetHashForWildcardRecursive() method allows an attacker to manipulate the wildcard parameter, which can lead to the construction of a remote UNC path.
This exploitation enables attackers to coerce the EPM server into reading files from an arbitrary directory, thereby exposing sensitive data or facilitating further attacks.
Similarly, the GetHashForWildcard() and GetHashForSingleFile() methods exhibit comparable flaws.
The former permits unauthenticated users to construct paths that reach remote UNC locations, while the latter implies that it may accept UNC paths as input without any authentication checks.
This lack of security measures poses significant risks, as attackers can leverage these endpoints to gain unauthorized access to critical functions within the EPM server.
In response to these vulnerabilities, Horizon3.ai has released a proof-of-concept (PoC) exploit demonstrating how these issues can be exploited in practical scenarios.
The PoC highlights various attack vectors, including relaying techniques that could allow attackers to create machine accounts or gain delegated admin access through NTLM relay attacks.
By using tools such as ntlmrelayx, attackers can relay requests to LDAP servers and add machine accounts with elevated privileges.
The timeline for this disclosure began on October 15, 2024, when the vulnerabilities were reported to Ivanti.
The company acknowledged receipt of the report the following day and validated the vulnerabilities shortly thereafter.
A patch was released on January 13, 2025, but public awareness of these critical issues only emerged with a blog post from Horizon3.ai on February 19, 2025.
Organizations utilizing Ivanti EPM are strongly advised to apply the latest patches and review their security configurations to mitigate potential exploitation risks.
The release of this PoC exploit serves as a stark reminder of the importance of robust input validation and authentication mechanisms in safeguarding against unauthorized access and data breaches.
As cybersecurity threats continue to evolve, proactive measures remain essential for maintaining secure environments.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here