Socura

A proof-of-concept (PoC) exploit has been released for the critical vulnerability in Ivanti Endpoint Manager (EPM), making it urgent for organizations to update their systems. The Remote Code Execution (RCE) vulnerability caused by insecure deserialization of untrusted data affects Ivanti EPM versions before the 2022 SU6 and 2024 updates.

The root cause has been identified in the OnStart method of the service executable, AgentPortal.exe. The flaw exploits an outdated .NET Remote-Control framework that facilitates communication between remote objects. Researchers observed that the service registers a TCP channel with a dynamically assigned port and no security enforcement and saves it to the registry.

Exploitation involves an attacker crafting a hashtable containing serialized objects to send to the vulnerable endpoint. Upon deserialization, arbitrary operations can be executed and call methods in the DirectoryInfo or FileInfo objects. Therefore, an attacker can read or write files on the server. Successful exploitation allows attackers to execute arbitrary code, potentially compromising sensitive systems. Threat actors can perform file operations, deploy malware, or install web shells for further access.

Impacted Products:

Ivanti Endpoint Manager versions 2022 SU5 and earlier
Ivanti Endpoint Manager version 2024

Ivanti has issued security patches (2022 SU6 and September 2024 updates). Applying these updates is essential, as no other mitigation methods are available. Advisory can be found here. PoC available can be found here

Don’t forget to share this article