CVE-2024-36130
📋 TL;DR
This vulnerability allows an unauthorized attacker on the same network to bypass authentication in Ivanti EPMM's web component and execute arbitrary commands on the underlying operating system. It affects all Ivanti Endpoint Manager for Mobile (EPMM) versions prior to 12.1.0.1, enabling full system compromise.
💻 Affected Systems
- Ivanti Endpoint Manager for Mobile (EPMM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPMM appliance allowing installation of persistent backdoors, data exfiltration, and lateral movement to connected endpoints and networks.
Likely Case
Attackers gain root/system-level access to the appliance, enabling credential theft, configuration manipulation, and deployment of malware to managed mobile devices.
If Mitigated
With proper network segmentation and access controls, impact is limited to the EPMM appliance itself, though complete compromise of that system remains possible.
🎯 Exploit Status
CVSS 9.8 indicates trivial exploitation with high impact. Network access is the only requirement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.1.0.1
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024
Restart Required: Yes
Instructions:
1. Backup EPMM configuration and data. 2. Download EPMM 12.1.0.1 from Ivanti portal. 3. Apply update via EPMM admin interface. 4. Restart appliance. 5. Verify version and functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPMM appliance to authorized administrative networks only
Firewall Rules
linuxBlock all non-essential inbound traffic to EPMM web ports (typically 443, 8443)
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NET -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Isolate EPMM appliance on dedicated VLAN with strict firewall rules allowing only necessary administrative access
- Implement network monitoring and intrusion detection specifically for EPMM appliance traffic
🔍 How to Verify
Check if Vulnerable:
Check EPMM version in admin interface under Settings > About. If version is below 12.1.0.1, system is vulnerable.Check Version:
Connect to EPMM admin interface and navigate to Settings > About pageVerify Fix Applied:
Confirm version shows 12.1.0.1 or higher in admin interface and test administrative functions work normally.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to EPMM web interface
- Unexpected command execution in system logs
- Changes to EPMM configuration from unknown sources
Network Indicators:
- Unusual traffic patterns to EPMM web ports from non-admin networks
- Command and control traffic originating from EPMM appliance
SIEM Query:
source="epmm" AND (event_type="authentication_failure" OR event_type="command_execution")