CVE-2024-10811
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to perform absolute path traversal attacks on Ivanti Endpoint Manager (EPM) systems, potentially leaking sensitive information like credentials and configuration files. It affects all Ivanti EPM installations before the January 2025 security updates. Organizations using vulnerable versions are at risk of credential theft and system compromise.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via credential theft leading to domain takeover, lateral movement across the network, and deployment of ransomware or other malware.
Likely Case
Credential harvesting leading to unauthorized access to EPM systems, potential privilege escalation, and data exfiltration.
If Mitigated
Limited information disclosure if proper network segmentation and access controls prevent lateral movement.
🎯 Exploit Status
Horizon3.ai has published detailed exploitation techniques showing how to extract credentials and configuration files. The attack requires no authentication and uses simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 January-2025 Security Update or 2022 SU6 January-2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti's support portal. 2. Apply the update to all EPM servers. 3. Restart the EPM services. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted administrative networks
Use firewall rules to block external access to EPM ports (typically 80/443, 8443, 8444)
Web Application Firewall
allDeploy WAF rules to block path traversal patterns
Configure WAF to block requests containing '../', '..\', absolute paths, and directory traversal patterns
🧯 If You Can't Patch
- Immediately isolate EPM servers from internet access and restrict internal access to only necessary administrative networks
- Implement strict monitoring for suspicious file access patterns and credential extraction attempts from EPM systems
🔍 How to Verify
Check if Vulnerable:
Check EPM version against affected versions. Attempt to access known sensitive files via path traversal if authorized for testing.Check Version:
Check EPM web interface admin panel or server installation details for version informationVerify Fix Applied:
Verify EPM version shows the January 2025 security update applied. Test that path traversal attempts now return proper errors.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../', '..\', absolute paths, or attempts to access sensitive files like config files, credential stores
Network Indicators:
- Unusual file downloads from EPM servers, especially configuration or credential files
SIEM Query:
source="epm_logs" AND (url="*../*" OR url="*..\\*" OR url="*/config*" OR url="*/credential*")