Remote Code Execution Exploit Released for Ivanti Endpoint Manager

Researchers have disclosed a proof-of-concept exploit for a critical vulnerability in Ivanti Endpoint Manager (CVE-2024-29847, CVSS score: 9.8), which permits remote code execution. The exploit is now publicly available, making it imperative to update devices promptly to safeguard against potential attacks.

The vulnerability stems from an issue with the deserialization of untrusted data, affecting versions of Ivanti Endpoint Manager prior to 2022 SU6 and EPM 2024. Security researcher Sina Kheirkhah (@SinSinology) discovered the vulnerability’s intricacies and reported them through the Zero Day Initiative (ZDI) on May 1, 2024. Recently, he published a comprehensive description of the exploitation mechanism, potentially leading to an increase in attacks in the near future.

The vulnerability arises due to insecure deserialization in the AgentPortal.exe component, specifically within the OnStart method. This method utilizes the outdated Microsoft.NET Remoting technology for remote object communication, creating an opportunity for attackers to introduce malicious objects into the system.

An attack involves sending specially crafted serialized objects to the vulnerable server, enabling the attacker to execute arbitrary operations, including reading or writing files. This can lead to the installation of web shells for code execution on the server.

Although the vulnerable component includes restrictions on the deserialization of certain objects, researcher Kheirkhah has outlined a method to bypass this protection, rendering the exploitation of the vulnerability even more perilous.

On September 10th, Ivanti released urgent security updates for EPM versions 2022 and 2024, which address this issue. Currently, no other mitigation measures besides installing the updates are offered, and all clients are strongly advised to update their systems as soon as possible.