CVE-2024-44107
📋 TL;DR
This vulnerability allows local authenticated attackers to perform DLL hijacking in Ivanti Workspace Control's management console, enabling privilege escalation and arbitrary code execution. Organizations using Ivanti Workspace Control versions before 2025.2 (10.19.0.0) are affected.
💻 Affected Systems
- Ivanti Workspace Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, lateral movement across the network, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to gain administrative rights on affected systems and execute malicious code.
If Mitigated
Limited impact with proper access controls, application whitelisting, and DLL path restrictions in place.
🎯 Exploit Status
DLL hijacking vulnerabilities are commonly exploited and require only local authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2 (10.19.0.0) or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-IWC
Restart Required: Yes
Instructions:
1. Download Ivanti Workspace Control version 2025.2 or later from the Ivanti portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart affected systems.
🔧 Temporary Workarounds
Restrict DLL Loading Paths
windowsConfigure Windows to restrict DLL loading to trusted directories only
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 1
Application Whitelisting
windowsImplement application control policies to prevent unauthorized DLL execution
Configure Windows Defender Application Control or AppLocker policies
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the Ivanti Workspace Control management console
- Monitor for suspicious DLL loading events and file creation in application directories
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Workspace Control version in Control Panel > Programs and Features or run 'wmic product get name,version'Check Version:
wmic product where "name like '%Ivanti Workspace Control%'" get versionVerify Fix Applied:
Verify version is 2025.2 (10.19.0.0) or later and test management console functionality📡 Detection & Monitoring
Log Indicators:
- DLL loading from unusual locations
- Process creation by Ivanti Workspace Control management console from non-standard paths
- Privilege escalation events
Network Indicators:
- Unusual outbound connections from Ivanti Workspace Control processes
SIEM Query:
EventID=4688 AND ProcessName LIKE '%IWC%' AND ParentProcessName LIKE '%explorer%' AND CommandLine LIKE '%.dll%'