CVE-2024-13172
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti Endpoint Manager (EPM) systems by exploiting improper signature verification. Attackers can achieve remote code execution, though local user interaction is required. Organizations using Ivanti EPM versions before the January 2025 security updates are affected.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement across the network, ransomware deployment, or persistent backdoor installation.
Likely Case
Initial foothold for attackers to establish persistence, steal credentials, or deploy malware on vulnerable EPM servers.
If Mitigated
Attackers cannot execute arbitrary code; system integrity remains intact with proper signature verification in place.
🎯 Exploit Status
Requires local user interaction for remote exploitation. The signature verification bypass enables code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: No
Instructions:
1. Download the appropriate security update from Ivanti's support portal. 2. Apply the update to all affected EPM servers. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted administrative networks.
User Awareness
allEducate users about not interacting with suspicious prompts or links that could trigger the vulnerability.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPM servers from untrusted networks.
- Deploy application control or endpoint detection and response (EDR) solutions to monitor for suspicious activities.
🔍 How to Verify
Check if Vulnerable:
Check the EPM server version in the Ivanti EPM console under Help > About.Check Version:
Not applicable - use the EPM console interface.Verify Fix Applied:
Verify the version shows the January 2025 security update has been applied.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from EPM services
- Failed signature verification attempts in EPM logs
- Unexpected network connections from EPM servers
Network Indicators:
- Suspicious outbound connections from EPM servers to external IPs
- Anomalous traffic patterns to/from EPM management ports
SIEM Query:
source="epm_server" AND (event_type="process_execution" OR event_type="signature_verification_failure")