CVE-2024-13158
📋 TL;DR
This vulnerability allows remote authenticated attackers with admin privileges to execute arbitrary code on Ivanti EPM systems by exploiting an unbounded resource search path. It affects Ivanti EPM 2024 before the January-2025 Security Update and Ivanti EPM 2022 SU6 before the January-2025 Security Update.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the EPM server, potentially leading to domain-wide persistence, data exfiltration, and lateral movement.
Likely Case
Privileged authenticated attackers achieving remote code execution on the EPM server, enabling installation of backdoors, credential theft, and further network exploitation.
If Mitigated
Limited impact due to proper network segmentation, admin privilege restrictions, and monitoring that detects unusual admin activity.
🎯 Exploit Status
Exploitation requires admin credentials and knowledge of the vulnerability, but the path traversal mechanism appears straightforward for attackers with those prerequisites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ivanti EPM 2024 January-2025 Security Update, Ivanti EPM 2022 SU6 January-2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: No
Instructions:
1. Download the appropriate security update from the Ivanti support portal. 2. Apply the update to all EPM servers. 3. Verify successful installation through the EPM console.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit EPM admin privileges to only essential personnel and implement multi-factor authentication for admin accounts.
Network Segmentation
allIsolate EPM servers from critical network segments and restrict inbound connections to only necessary management interfaces.
🧯 If You Can't Patch
- Implement strict monitoring of EPM admin account activity and alert on unusual login patterns or administrative actions.
- Apply network controls to limit EPM server communication to only required endpoints and implement application allowlisting.
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the console: Settings > About. If version is before the January-2025 Security Update for either 2024 or 2022 SU6, the system is vulnerable.Check Version:
Check via EPM console interface or review installation logs for update confirmation.Verify Fix Applied:
Verify the installed version shows the January-2025 Security Update has been applied in the EPM console.📡 Detection & Monitoring
Log Indicators:
- Unusual admin account logins to EPM console
- Unexpected process execution from EPM service accounts
- File creation/modification in EPM directories by non-standard processes
Network Indicators:
- Unusual outbound connections from EPM servers
- Suspicious PowerShell or command execution originating from EPM systems
SIEM Query:
source="epm_logs" AND (event_type="admin_login" OR process_execution="unusual")