PoC Exploit Released for Ivanti EPM Flaw CVE-2024-29847 (CVSS 10)

CVE-2024-29847 PoC exploit Github
Image: Horizon3.ai

Security researcher James Horseman from Horizon3.ai has disclosed the technical details and a proof-of-concept (PoC) exploit code for a critical vulnerability (CVE-2024-29847) in Ivanti Endpoint Management (EPM) software, potentially allowing attackers to gain unauthorized access to core servers. The flaw, rated with a CVSS score of 10 (the highest severity), stems from a deserialization of untrusted data weakness in the agent portal.

Ivanti Endpoint Management is a widely used platform by IT administrators to manage devices running various operating systems, including Windows, macOS, Chrome OS, and IoT systems. EPM enables centralized management of client devices, making it a critical tool for organizations relying on consistent device control and security.

The CVE-2024-29847 vulnerability is caused by the improper deserialization of untrusted data in Ivanti’s AgentPortal service. Deserialization vulnerabilities occur when untrusted data is used to reconstitute an object in memory, potentially opening the door for attackers to inject malicious code. In this case, the flaw allows attackers to exploit Ivanti EPM and execute arbitrary code with SYSTEM-level privileges, essentially giving them full control over affected systems.

Despite the classification of this flaw as deserialization, Horseman’s analysis suggests that command injection may better describe the vulnerability’s behavior. “While we are pretty sure that the vulnerability described in this post is the true CVE-2024-29847, we feel it would be more accurately described as a command injection,” Horseman noted, hinting at the possibility that there could be further aspects to this flaw yet to be fully understood.

As of the time of disclosure, Ivanti has stated that there is no known exploitation of this vulnerability in the wild, and they have not received reports of customers being directly impacted. However, the release of PoC exploit code for CVE-2024-29847 on GitHub significantly raises the risk of potential attacks, as threat actors can now quickly weaponize this exploit.

Given the critical nature of the vulnerability, the company urges administrators to immediately apply the hot patches in Ivanti EPM 2024 or upgrade to Ivanti EPM 2022 Service Update 6 (SU6), which addresses the issue. The window for attack is wide open, particularly for systems that have not yet applied these patches.

For organizations seeking to defend against potential attacks, indicators of compromise (IoCs) should be closely monitored. The port used by the AgentPortal service can be found in the registry at: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal

Unexpected connections to the AgentPortal service, particularly from unusual or untrusted IP addresses, should be thoroughly investigated for signs of malicious activity.

Update: 

Security researcher SinSinology who found this flaw, also published the technical details and a proof-of-concept exploit for this flaw.

Related Posts: