{"id":2286,"date":"2025-03-11T22:02:07","date_gmt":"2025-03-11T22:02:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2286"},"modified":"2025-03-11T22:02:07","modified_gmt":"2025-03-11T22:02:07","slug":"ivanti-epm-vulnerabilities-actively-exploited-in-the-wild-cisa-warns","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2286","title":{"rendered":"Ivanti EPM vulnerabilities actively exploited in the wild, CISA warns"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US Cybersecurity and Infrastructure Security agency has added three vulnerabilities in Ivanti Endpoint Manager (EPM) to its known exploited vulnerabilities (KEV) catalog<\/a> signaling they\u2019ve seen in-the-wild exploitation. The flaws received patches in January after being reported privately to Ivanti by the researcher who found them.<\/p>\n

The three vulnerabilities, tracked as CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 are described by Ivanti as absolute path traversals and were part of a larger patch that addressed four critical and 12 high-severity flaws<\/a>. The company noted at the time it had no evidence of these flaws being exploited in the wild.<\/p>\n

The three vulnerabilities, plus a fourth one, were discovered and reported to Ivanti by researcher Zach Hanley with penetration testing firm Horizon3.ai. Hanley wrote up the research in a blog post<\/a> in February that also included proof-of-concept exploit code.<\/p>\n

Credential coercion<\/h2>\n

Hanley described the flaws as credential coercion issues because they could allow unauthenticated attackers to coerce the Ivanti EPM machine account credential to be used in NTLM relay attacks<\/a>, which could in turn result in server compromise.<\/p>\n

Ivanti EPM is an asset monitoring and management solution for enterprises that can manage a variety of desktop and mobile devices. The server component is an application written in .NET that exposes various API endpoints.<\/p>\n

Hanley found that the input to several unauthenticated API endpoints was not properly sanitized and could be used to pass UNC absolute paths to several methods: GetHashForFile, GetHashForSingleFile, GetHashForWildcard and GetHashForWildcardRecursive \u2014 all of which had to do with obtaining hashes for files in specified directories.<\/p>\n

\u201cCompromising the Endpoint Manager server itself would lead to the ability to compromise all of the EPM clients, making this avenue especially impactful,\u201d the researcher wrote.<\/p>\n

Ivanti products in attackers\u2019 crosshairs<\/h2>\n

Multiple Ivanti products have been targeted by attackers over the past year, especially by state-sponsored cyberespionage groups who developed zero-day exploits for them.<\/p>\n

Back in January Ivanti patched a critical remote code execution flaw in its Connect Secure SSL VPN appliance<\/a> that a Chinese APT group had exploited as a zero-day since at least mid-December<\/a>.<\/p>\n

That same group had exploited zero-day flaws in the same product<\/a> one year prior.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US Cybersecurity and Infrastructure Security agency has added three vulnerabilities in Ivanti Endpoint Manager (EPM) to its known exploited vulnerabilities (KEV) catalog signaling they\u2019ve seen in-the-wild exploitation. The flaws received patches in January after being reported privately to Ivanti by the researcher who found them. The three vulnerabilities, tracked as CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 […]<\/p>\n","protected":false},"author":0,"featured_media":2287,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2286"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2286"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2286\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2287"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}