Security advisories

PoC Exploit Code Released for Ivanti Vulnerability

September 17, 2024 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

Technical details and Proof-of-Concept (PoC) exploit code for the critical Ivanti Endpoint Manager (EPM) vulnerability CVE-2024-29847 are now publicly available. The release of this information significantly increases the likelihood of exploitation by threat actors. CVE-2024-29847 (CVSS: 10) is due to a deserialization of untrusted data in the agent portal of Ivanti EPM. Successful exploitation would allow an unauthenticated threat actor to achieve Remote Code Execution (RCE).

At the time of writing, there is no evidence of real-world attacks involving this vulnerability. The release of technical information and PoC exploit code, paired with the potential impact of exploitation, makes it highly probable that threat actors will adopt the exploit for CVE-2024-29847 and employ it in real-world attacks in the near future. Organizations using vulnerable versions of Ivanti EPM need to apply the relevant security patches immediately.

What we’re doing about it

What you should do about it

Additional information

CVE-2024-29847 was disclosed along with security patches on September 11th. The PoC exploit was shared only five days later.

Ivanti EPM is described as an “all-in-one endpoint management” system for Windows, macOS, Linux, Chrome OS, and IoT devices. EPM’s pervasiveness across networks would make any Remote Code Execution (RCE) vulnerability highly valuable to both state-sponsored and financially motivated threat actors. Due to the level of access provided and lack of required authentication, it is likely that ransomware groups will investigate CVE-2024-29847 as an avenue for initial access and ransomware deployment.

Vulnerabilities in Ivanti products have been heavily targeted in the past. On September 13th, Ivanti confirmed exploitation of another recently disclosed vulnerability, CVE-2024-8190. Details on exploitation are currently limited. In early 2024, Ivanti was impacted by three separate zero-day vulnerabilities. The past targeting of Ivanti products may indicate both high attacker interest, as well as experience targeting related software.

Impacted Products

References:

[1] https://summoning.team/blog/ivanti-epm-cve-2024-29847-deserialization-rce/ 
[2] https://github.com/sinsinology/CVE-2024-29847 
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-29847 
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-8190 
[5] https://www.esentire.com/security-advisories/third-ivanti-zero-day-vulnerability-cve-2024-21893

View Most Recent Advisories