CVE-2024-13165
📋 TL;DR
An out-of-bounds write vulnerability in Ivanti Endpoint Manager (EPM) allows remote unauthenticated attackers to cause denial of service by crashing the service. This affects Ivanti EPM 2024 and 2022 SU6 versions before the January 2025 security updates. Organizations using these vulnerable versions are at risk.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Ivanti EPM, preventing endpoint management and potentially requiring manual recovery of affected systems.
Likely Case
Service crashes leading to temporary loss of endpoint management capabilities until service restart.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to trusted networks only.
🎯 Exploit Status
Remote unauthenticated exploitation is possible, but specific exploit details are not publicly available. The CWE-787 classification suggests memory corruption that could potentially lead to more severe outcomes than just DoS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti's support portal. 2. Apply the update to all EPM servers. 3. Restart EPM services. 4. Verify successful installation and service functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted management networks and required administrative workstations.
Use firewall rules to limit inbound connections to EPM servers from specific IP ranges only
🧯 If You Can't Patch
- Implement strict network access controls to limit EPM server exposure to only necessary administrative networks
- Monitor EPM service health and logs for crash events indicating potential exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check EPM version in Ivanti EPM console under Help > About. Compare against patched versions listed in the security advisory.Check Version:
In EPM console: Help > About displays current version informationVerify Fix Applied:
Verify version shows 2024 January 2025 Security Update or 2022 SU6 January 2025 Security Update. Test EPM functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- EPM service crash events in Windows Event Logs
- Unexpected service restarts in EPM application logs
- Access attempts from unexpected sources
Network Indicators:
- Unusual traffic patterns to EPM server ports
- Multiple connection attempts from single sources
SIEM Query:
source="windows" AND (event_id=7034 OR event_id=1000) AND process_name="epm*" OR source="ivanti_epm" AND (message="crash" OR message="unexpected shutdown")