CVE-2024-13171
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti Endpoint Manager (EPM) systems by exploiting insufficient filename validation. Attackers can achieve remote code execution, though local user interaction is required. Organizations using Ivanti EPM versions before the January 2025 security updates are affected.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data theft, lateral movement, ransomware deployment, or complete control of the endpoint management infrastructure.
Likely Case
Attackers gain initial foothold on the EPM server, then pivot to managed endpoints or steal credentials and sensitive data from the management system.
If Mitigated
Attack fails due to proper network segmentation, EDR protection, or user interaction not occurring.
🎯 Exploit Status
Requires local user interaction but no authentication. CWE-434 indicates unrestricted upload of dangerous file types.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: No
Instructions:
1. Download the security update from Ivanti's support portal. 2. Apply the update to all EPM servers. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Restrict network access to EPM
allLimit access to EPM servers to only trusted administrative networks and users.
Implement application allowlisting
windowsUse EDR or application control to prevent execution of unauthorized files on EPM servers.
🧯 If You Can't Patch
- Isolate EPM servers from internet and untrusted networks using firewall rules.
- Implement strict user awareness training to prevent interaction with suspicious files.
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\VersionCheck Version:
reg query "HKLM\SOFTWARE\LANDesk\ManagementSuite" /v VersionVerify Fix Applied:
Verify version shows 2024 with January 2025 update or 2022 SU6 with January 2025 update applied.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to EPM web interface
- Suspicious process execution on EPM servers
- Failed authentication attempts followed by file operations
Network Indicators:
- Unusual outbound connections from EPM servers
- Traffic to known malicious IPs from EPM infrastructure
SIEM Query:
source="epm_server" AND (event="file_upload" OR process="powershell.exe" OR process="cmd.exe")