Threat Research

Ivanti Endpoint Manager Vulnerabilities: Critical CVEs & Exploit Details

iocOne
Ivanti Endpoint Manager Vulnerabilities: Critical CVEs & Exploit Details

A recent investigation uncovered four critical vulnerabilities in Ivanti Endpoint Manager that allow unauthenticated attackers to conduct relay attacks, potentially compromising servers. These vulnerabilities were found in the .NET application and have been patched as of January 2025. Affected: Ivanti Endpoint Manager (EPM)

Keypoints :

  • Four critical vulnerabilities discovered in Ivanti Endpoint Manager.
  • The vulnerabilities involve credential coercion attacks that can lead to server compromise.
  • Each vulnerability corresponds to different methods in the WSVulnerabilityCore.dll library.
  • Security patches were released by Ivanti in January 2025.
  • These vulnerabilities allow unauthenticated users to potentially manipulate server behavior.

MITRE Techniques :

  • TA0001: Initial Access – Credential Coercion vulnerabilities allow unauthenticated access through the following methods:
  • T1071.001 (Application Layer Protocol: Web Protocols) – GetHashForFile() method allows attackers to coerce the server to reach remote UNC paths.
  • T1071.001 (Application Layer Protocol: Web Protocols) – GetHashForSingleFile() method allows similar coercion through remote paths.
  • T1071.001 (Application Layer Protocol: Web Protocols) – GetHashForWildcardRecursive() method exposes vulnerabilities for remote path manipulation.
  • T1071.001 (Application Layer Protocol: Web Protocols) – GetHashForWildcard() method enables exploitation via unauthenticated inputs as well.

Indicator of Compromise :

  • [CVE ID] CVE-2024-10811
  • [CVE ID] CVE-2024-13161
  • [CVE ID] CVE-2024-13160
  • [CVE ID] CVE-2024-13159
  • [Domain] ivanti-epm2.smoke.net

Full Story: https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/