CVE-2024-13163
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti Endpoint Manager (EPM) systems through deserialization of untrusted data. Attackers can achieve remote code execution, though local user interaction is required. Organizations using Ivanti EPM 2024 before the January-2025 Security Update or 2022 SU6 before the January-2025 Security Update are affected.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data theft, lateral movement, ransomware deployment, and persistent backdoor installation across the network.
Likely Case
Initial foothold for attackers to establish persistence, steal credentials, and move laterally within the network environment.
If Mitigated
Limited impact due to network segmentation, application whitelisting, and proper access controls preventing successful exploitation.
🎯 Exploit Status
Requires local user interaction for successful exploitation despite remote unauthenticated access. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January-2025 Security Update, EPM 2022 SU6 January-2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: No
Instructions:
1. Download the appropriate security update from the Ivanti support portal. 2. Apply the update to all affected EPM servers. 3. Verify successful installation by checking version numbers. 4. Test EPM functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted administrative networks
Application Control
windowsImplement application whitelisting to prevent execution of unauthorized binaries
🧯 If You Can't Patch
- Isolate EPM servers in a dedicated network segment with strict firewall rules
- Implement network monitoring and intrusion detection specifically for EPM traffic
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the Ivanti EPM console under Help > About. Compare against affected versions.Check Version:
Check via EPM console interface (no direct CLI command available)Verify Fix Applied:
Verify version shows 'January-2025 Security Update' applied in the EPM console.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from EPM services
- Suspicious network connections from EPM server
- Deserialization errors in application logs
Network Indicators:
- Unusual outbound connections from EPM server
- Traffic patterns inconsistent with normal EPM operations
SIEM Query:
source="epm_server" AND (event_type="process_creation" AND parent_process="epm_service") OR (event_type="network_connection" AND dest_ip NOT IN allowed_ips)