CVE-2024-44105
📋 TL;DR
This vulnerability allows a local authenticated attacker to intercept OS credentials transmitted in cleartext within the Ivanti Workspace Control management console. Organizations using Ivanti Workspace Control versions before 2025.2 (10.19.0.0) are affected. The attacker must have local authenticated access to the system.
💻 Affected Systems
- Ivanti Workspace Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker obtains administrative OS credentials, leading to full system compromise, lateral movement, and data exfiltration.
Likely Case
Malicious insider or compromised local account harvests credentials for privilege escalation within the environment.
If Mitigated
With proper network segmentation and credential management, impact is limited to the local system where the attacker already has access.
🎯 Exploit Status
Exploitation requires local authenticated access and ability to intercept cleartext traffic on the local system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2 (10.19.0.0)
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC
Restart Required: Yes
Instructions:
1. Download Ivanti Workspace Control version 2025.2 or later from the Ivanti portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate systems running Ivanti Workspace Control management console from untrusted networks and limit local access.
Credential Management
windowsUse dedicated service accounts with minimal privileges for Ivanti Workspace Control operations.
🧯 If You Can't Patch
- Implement strict access controls to limit local authenticated access to systems running Ivanti Workspace Control.
- Monitor for unusual credential usage and implement network traffic monitoring for cleartext authentication attempts.
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti Workspace Control version in the management console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Workspace Control\VersionCheck Version:
reg query "HKLM\SOFTWARE\Ivanti\Workspace Control" /v VersionVerify Fix Applied:
Verify the version is 2025.2 (10.19.0.0) or later in the management console or registry.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful authentication from same source
- Unusual process accessing network interfaces
Network Indicators:
- Cleartext authentication traffic on localhost or internal interfaces involving Ivanti processes
SIEM Query:
source="*ivanti*" AND (event_type="authentication" OR protocol="http") AND NOT encrypted=true