CVE-2024-44103
📋 TL;DR
This vulnerability allows a local authenticated attacker to perform DLL hijacking in Ivanti Workspace Control's management console, enabling privilege escalation. Attackers can execute arbitrary code with elevated privileges by placing malicious DLLs in specific locations. Organizations using Ivanti Workspace Control versions before 2025.2 are affected.
💻 Affected Systems
- Ivanti Workspace Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where attackers gain administrative privileges, install persistent backdoors, access sensitive data, and move laterally across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and access restricted system resources.
If Mitigated
Limited impact with proper access controls, application whitelisting, and least privilege principles in place.
🎯 Exploit Status
DLL hijacking is a well-known technique requiring local authenticated access and knowledge of vulnerable DLL loading paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2 (10.19.0.0) or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC
Restart Required: Yes
Instructions:
1. Download Ivanti Workspace Control version 2025.2 or later from Ivanti portal. 2. Backup current configuration. 3. Run the installer with administrative privileges. 4. Restart the system. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict DLL Loading Paths
windowsConfigure Windows to restrict DLL loading from untrusted directories using DLL search order hardening.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 0xffffffff
Application Whitelisting
windowsImplement application control policies to prevent execution of unauthorized DLLs.
# Configure Windows Defender Application Control or AppLocker policies
🧯 If You Can't Patch
- Implement strict least privilege principles - ensure users don't have write permissions to directories in DLL search paths.
- Monitor for suspicious DLL loading events and file creation in application directories using endpoint detection tools.
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Workspace Control version in Control Panel > Programs and Features or run 'wmic product get name,version' and look for versions below 2025.2.Check Version:
wmic product where "name like '%Ivanti Workspace Control%'" get name,versionVerify Fix Applied:
Verify installed version is 2025.2 (10.19.0.0) or higher using the same version check methods.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Security logs showing DLL loading from unusual paths
- Application logs showing Ivanti Workspace Control loading DLLs from user-writable directories
Network Indicators:
- Unusual outbound connections from Ivanti Workspace Control processes post-exploitation
SIEM Query:
source="windows" event_id=4688 process_name="*workspace*" OR process_name="*ivanti*" AND (dll_loaded="*temp*" OR dll_loaded="*users*")