CVE-2024-7572
📋 TL;DR
This vulnerability in Ivanti DSM allows local authenticated users to delete arbitrary files due to insufficient permissions. It affects organizations using Ivanti DSM versions before 2024.3.5740. Attackers with local access can exploit this to disrupt operations or delete critical system files.
💻 Affected Systems
- Ivanti Desktop and Server Management (DSM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete critical system files, configuration files, or application data, causing system instability, data loss, or complete system failure.
Likely Case
Malicious insiders or compromised accounts could delete important files to disrupt operations, cover tracks after other attacks, or cause targeted damage.
If Mitigated
With proper access controls and monitoring, impact is limited to non-critical files and can be quickly detected and contained.
🎯 Exploit Status
Exploitation requires local authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.5740
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Desktop-and-Server-Management-DSM-CVE-2024-7572
Restart Required: Yes
Instructions:
1. Download Ivanti DSM version 2024.3.5740 or later from the Ivanti portal. 2. Backup current configuration and data. 3. Install the update following Ivanti's upgrade documentation. 4. Restart the DSM server and verify functionality.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local access to DSM servers to only necessary administrative users
Implement File Integrity Monitoring
allMonitor critical directories for unauthorized file deletions
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into DSM servers locally
- Deploy file integrity monitoring on critical system directories and DSM installation paths
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti DSM version in the administration console or via the DSM server interface. If version is below 2024.3.5740, the system is vulnerable.Check Version:
On DSM server: Check Help > About in the DSM console or review the installation directory version files.Verify Fix Applied:
After patching, verify the version shows 2024.3.5740 or higher in the DSM administration console.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Failed file access attempts from non-admin users
- DSM service errors related to missing files
Network Indicators:
- Unusual authentication patterns to DSM servers
- Multiple failed file access attempts from single sources
SIEM Query:
EventID:4663 OR EventID:4656 (Windows file deletion events) from DSM servers OR 'file delete' AND 'dsm' in application logs