CVE-2024-29847
📋 TL;DR
This critical vulnerability allows remote unauthenticated attackers to execute arbitrary code on Ivanti EPM systems by exploiting insecure deserialization in the agent portal. Organizations using Ivanti EPM 2022 before SU6 or 2024 before the September 2024 update are affected. Attackers can gain full control of vulnerable systems without authentication.
💻 Affected Systems
- Ivanti Endpoint Manager (EPM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, lateral movement across the network, and persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to install malware, steal credentials, and pivot to other systems in the environment.
If Mitigated
Limited impact if systems are isolated, patched, or have network controls preventing external access to the agent portal.
🎯 Exploit Status
The CVSS 9.8 score, unauthenticated nature, and remote code execution capability make this highly attractive for exploitation. While no public PoC exists at analysis time, similar deserialization vulnerabilities are frequently weaponized quickly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2022 SU6 or later, EPM 2024 September 2024 update or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti's support portal. 2. Apply EPM 2022 SU6 for 2022 deployments. 3. Apply September 2024 update for 2024 deployments. 4. Restart the EPM server and affected services. 5. Verify successful installation through the EPM console.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to the EPM agent portal (typically port 443) to only trusted management networks.
firewall rules to block external access to EPM server ports
Disable Agent Portal
windowsTemporarily disable the vulnerable agent portal component if not required for operations.
Stop the Ivanti EPM Agent Portal service via services.msc or equivalent
🧯 If You Can't Patch
- Isolate the EPM server from internet access and restrict internal access to only necessary administrative systems.
- Implement application control/whitelisting to prevent execution of unauthorized binaries even if RCE is achieved.
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the console: Settings > About. Versions before 2022 SU6 or 2024 September update are vulnerable.Check Version:
In EPM console: Navigate to Settings > About to view version information.Verify Fix Applied:
Verify version shows 2022 SU6 or later, or 2024 September 2024 update or later. Check that the patch installation completed successfully in the EPM console logs.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from EPM services
- Unexpected network connections from EPM server
- Failed authentication attempts to agent portal followed by successful exploitation
Network Indicators:
- Unusual outbound connections from EPM server
- Traffic to known malicious IPs from EPM server
- Anomalous HTTP requests to the agent portal endpoint
SIEM Query:
source="EPM_Server" AND (event_type="process_creation" AND parent_process="EPM_Service") OR (destination_port=443 AND http_user_agent CONTAINS "malicious")